PyPI Malicious Packages Threaten Cloud Security


Fake packages in the Python Package Index put cloud security at risk. Researchers have identified two malicious packages posing as 'time' utilities and, alarmingly, they gained over 14,100 downloads. The downloaded packages allowed for unauthorized access to sensitive cloud access tokens.

The incident highlights the pressing need for developers and DevOps practices to scrutinize package dependencies more rigorously. With the ties these malicious packages have to popular projects, awareness and caution are crucial in order to avert potential exploitation.

- Over 14,100 downloads of two malicious package sets identified.

- Packages disguised as 'time' utilities exfiltrate sensitive data.

- Suspicious URLs associated with packages raise data theft concerns.

(View Details on PwnHub)


https://redd.it/1jbxxok
@r_devops

Tj-actions/changed-files GH Action is compromised.

https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

We use this one in our workflows.

It seems like it shouldn't be a problem if your repos are private or internal.

Public repos will definitely want to determine their level of exposure.

https://redd.it/1jbzdsm
@r_devops

Devops market, real situation.

Guys, I’m out job for along time. Been on and off doing some side hustles, to keep up with bills etc. Have a family. So, long story short, recently I started upgrading my skills, Kubernetes, AWS, Python etc. I’m doing a lot of labs and alot of troubleshooting along the way. But the frustration comes from my surrounding. I have people around me engineers, and whenever we meet, they trying to take me down with crazy stories that the market is terrible, there are no jobs, we all sit at works scared about layoffs might happen any day soon etc. So basically they say ‘don’t even dream about’ But I have hit the rock bottom can pay my bills , or barely pay. So I need some real perspective from you guys, I trust and believe you gonna share the real story. Cuz whenever I google DevOps jobs near me it would pop a lot of jobs. So I don’t know where it’s all fake just for statistics or what is the true situation like. Appreciate your input

https://redd.it/1jc0xaf
@r_devops

Anyone using GKE with Windows nodes?

Hey,

I have got the task of managing GKE clusters that has Windows nodes with a couple of containers running on them.

The main problem I'm having is cold starts. The containers images are quite big and we have a spiky load, meaning that during working hours we scale up to hundred and something of nodes and then we go back to a dozen.

I have tried multiple approaches to improve this but it seems that GKE doesn't support custom node images nor using secondary disks for image caching/streaming.

If you have any tip it would be highly appreciated.

Thanks!

https://redd.it/1jc0tvh
@r_devops

Docker Login to Nexus Failing in Jenkins Pipeline (Mac)

Hey everyone,

I’m struggling with a Jenkins pipeline issue when trying to log in to Nexus using Docker. Here’s the error I’m getting:
*****************************************************************************
docker login -u admin -p ****** https://nexus:8083

WARNING! Using --password via CLI is insecure. Use --password-stdin

Error response from daemon: Get "https://nexus:8083/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

*****************************************************************************
My setup:

• OS: Mac

• Docker: Docker Desktop installed

• CI/CD tools running in Docker containers: Jenkins, SonarQube, Nexus

• Jenkins setup: Docker is installed inside the Jenkins container

• Nexus: Running as a container

• Users & Permissions: Created a group in Nexus and added my user to it

I’ve already tried:

• Running docker login manually inside the Jenkins container → Same timeout error

• Checking if Nexus is accessible (curl https://nexus:8083) → Sometimes works, sometimes times out

• Restarting Nexus & Jenkins → No change

I’ll attach some screenshots from my Jenkins logs, Nexus settings, and Docker setup.

Has anyone faced a similar issue? Could it be a networking issue with Docker? Any suggestions would be appreciated!

Thanks in advance.


https://redd.it/1jc2mzw
@r_devops

# TracePerf: TypeScript-Powered Node.js Logger That Actually Shows You What's Happening

Hey devs! I just released **TracePerf** (v0.1.1), a new open-source logging and performance tracking library built with TypeScript that I created to solve real problems I was facing in production apps.

# Why I Built This

I was tired of:

* Staring at messy console logs trying to figure out what called what
* Hunting for performance bottlenecks with no clear indicators
* Switching between different logging tools for different environments
* Having to strip out debug logs for production

So I built TracePerf to solve all these problems in one lightweight package.

# What Makes TracePerf Different

Unlike Winston, Pino, or console.log:

* **Visual Execution Flow** \- See exactly how functions call each other with ASCII flowcharts
* **Automatic Bottleneck Detection** \- TracePerf flags slow functions with timing data
* **Works Everywhere** \- Same API for Node.js backend and browser frontend (React, Next.js, etc.)
* **Zero Config to Start** \- Just import and use, but highly configurable when needed
* **Smart Production Mode** \- Automatically filters logs based on environment
* **Universal Module Support** \- Works with both CommonJS and ESM
* **First-Class TypeScript Support** \- Built with TypeScript for excellent type safety and IntelliSense

# Quick Example

// CommonJS
const tracePerf = require('traceperf');
// or ESM
// import tracePerf from 'traceperf';

function fetchData() {
return processData();
}

function processData() {
return calculateResults();
}

function calculateResults() {
// Simulate work
for (let i = 0; i < 1000000; i++) {}
return 'done';
}

// Track the execution flow
tracePerf.track(fetchData);

This outputs a visual execution flow with timing data:

Execution Flow:
┌──────────────────────────────┐
│ fetchData │ ⏱ 5ms
└──────────────────────────────┘
│
▼
┌──────────────────────────────┐
│ processData │ ⏱ 3ms
└──────────────────────────────┘
│
▼
┌──────────────────────────────┐
│ calculateResults │ ⏱ 150ms ⚠️ SLOW
└──────────────────────────────┘

# TypeScript Example

import tracePerf from 'traceperf';
import { ITrackOptions } from 'traceperf/types';

// Define custom options with TypeScript
const options: ITrackOptions = {
label: 'dataProcessing',
threshold: 50, // ms
silent: false
};

// Function with type annotations
function processData<T>(data: T[]): T[] {
// Processing logic
return data.map(item => item);
}

// Track with type safety
const result = tracePerf.track(() => {
return processData<string>(['a', 'b', 'c']);
}, options);

# React/Next.js Support

import tracePerf from 'traceperf/browser';

function MyComponent() {
useEffect(() => {
tracePerf.track(() => {
// Your expensive operation
}, { label: 'expensiveOperation' });
}, []);

// ...
}

# Installation

npm install traceperf

# Links

* [GitHub Repo](https://github.com/thelastbackspace/traceperf)
* [NPM Package](https://www.npmjs.com/package/traceperf)
* [Documentation](https://github.com/thelastbackspace/traceperf#readme)

# What's Next?

I'm actively working on:

* More output formats (JSON, CSV)
* Persistent logging to files
* Remote logging integrations
* Performance comparison reports
* Enhanced TypeScript types and utilities

Would love to hear your feedback and feature requests! What logging/debugging pain points do you have that TracePerf could solve?

https://redd.it/1jc4mjx
@r_devops

What do you use for CI/CD?

I use actions but curious war folks recommend in 2025

https://redd.it/1jc6rtn
@r_devops

Host in Apache Web server with React

Hello!, im currently practicing deployment in web servers and i really cant find any solu online so i came to ask here..

im currently deploying a Vite react typescript with tanstack routing.. but experience a major problem..

whenever i go to my url which is my subdomain.. it works well but when i navigate to certain routes which is a file routing based.. it gives me a Internal Server error which i really dont have an idea about it.. Heres the steps i did:

(file structure)
/SubDomain
- .htaccess
- ./dist (after build i deleted everything except .dist)

.htaccess:


RewriteEngine On

# Force redirect from HTTP to HTTPS
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTPHOST}%{REQUESTURI} L,R=301

# Serve static files from the dist folder
RewriteCond %{REQUESTFILENAME} !-f
RewriteCond %{REQUESTFILENAME} !-d
RewriteRule ^(.)$ /dist/$1 [L]

# Handle SPA routing (React/Tanstack Router)
# Redirect any request that isn't a file or directory to index.html
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.)$ /dist/index.html L

# Explicitly set DirectoryIndex to index.html
DirectoryIndex /dist/index.html

Thankss..

https://redd.it/1jcdwet
@r_devops

tj-actions/changed-files back on GitHub

After yesterday’s removal, it’s been brought back to GitHub.

„malicious commit has been removed from all tags and branches, and necessary measures have been implemented to prevent similar issues in the future.”

https://github.com/tj-actions/changed-files

https://redd.it/1jcgsk5
@r_devops

Got into devops. Looking to connect

With people who are career driven and love growth. Would love me to be intouch and learn from you.

My job consists of dual roles where it would be devops + cybersecurity (cloudsec and bit of GRC). I believe i have a once in a lifetime kind of opportunity and i want to make the best out of it. I just want to be surrounded by likeminded people to learn and grow. Looking forward to hearing from you.

Edit: i also intend to work on side projects to learn stuff and make myself more employable.

https://redd.it/1jci2l7
@r_devops

What should i pick as a career in devops

Hi everyone, I am 20 yr old . I have worked on java from long time and i want to move towards devops, so far i have started working on shell scripting, python for devops ( from yt ) and worked with docker . What should i do to get a good job by next year as i will be graduated .

Your responses would help me a lot

https://redd.it/1jcjerq
@r_devops

For all wanting to enter DevOps, here's my personal "stand out" tips

Hello all,

Do-everything developer of ~20 years who transitioned into DevOps 5 years ago reporting in - born from the struggles with my own current team members and the vast majority of DevOps candidates we interview, I wanted to share my thoughts about the industry and candidates we come across:

- 95% of good DevOps engineers were developers first - there are exceptions, but being a DevOps Engineer is knowing the pain your devs face and most importantly improving it.

- Leaping from SysAdmin => DevOps is 1000x more difficult to pull off than Dev => DevOps - not impossible, but non-developers in my experience largely do not/will not learn the fundamental good code-writing practices that all devs will learn on day one.

The number of candidates we reject each month that think doing "AZ101" certifications or telling me how much their Golang/Rust stack "could" scale is indescribable - not unimportant having that skillset, but if you operate in a DevOps team just working with brand-new stacks and technologies each day and pay no attention to the business-process pain your staff base is dealing with, you won't last.

- Please, please learn the basics of computer hardware, networking (IPv4/IPv6, DNS, DHCP) outside of a cloud environment - the number of people who claim experience with these but falter as soon as it's not "in an AWS VPC" is unbelievable.

- Be hungry to learn, forever, always. - if you're not one of the most technically-innovative people in your company, and at least somewhat interested in tech/dev outside of work, you will fail - and you should. DevOps is not a role for people to do average and milk it for what it's worth.

At the risk of sounding like a bitter veteran with the above - these are just my own experiences and guidance I would give to new entrants to the industry if I could :)

Bitterness aside - if you really "give a shit" about learning and innovation, my top tips are as follows:

- Innovate and develop new strategies or approaches as a primary goal - you will come across 40-50 year old employees that are bitter about your success and innovation, give them no reasons to have a point, let your good work speak for itself.

- Don't work for any company that you would be worried about spotting a mistake and owning up to it - I'm fortunate where I work that we foster and encourage a "see it, say something" culture and do not tolerate blame culture aside from intentional negligence - you will learn the most working in this kind of environment.

- Don't be afraid to propose huge changes to 20 year old business processes - the amount of stupid bullshit companies will follow for years on end without questioning is endless - chances are if you're a DevOps Engineer and think you've found a novel solution to something, you're very probably right.

- Stay humble and keep close with any engineers/dev staff that you service or look after - these folks are your bread and butter - the second you lose touch with them, you lose your technical sway and influence - and your own sense of "what needs to be improved".

https://redd.it/1jck1r2
@r_devops

Should I learn Oracle DBA as a DevOps/Platform Engineer in 2025?

I am an entry level DevOps Engineer working in a mid size (300+ dev) software company for almost 3 years. I mostly maintain our On-prem PROXMOX cluster, K8S cluster, monitoring/alerting (500+ VM and WS), do some scripting in BASH and python. My senior colleague do the same but additionally he is our Oracle DBA. Lately I realized that was hired to be a substitute of my colleague. But nobody guide me in that way. Recently a few DBA tasks are being assigned to me on the basis that I should know these as I have been working for fairly long time alongside my colleague. So I am thinking to get into a Oracle DBA course.
But I have a lot to learn in DevOps/SRE era in 2025. I was planning to get couple of certs in AWS/K8S and learn a new language like Go/Rust etc.
I don't know what will happen in the future. May be they might move these DB stuff into the cloud. Might be they adopt any service that no DBA is needed. Besides if I switch company, may be they do not need DBA skills for the position that I want to apply. So, my spent time to learn DBA will be a waste. Now, should I spend time to learn complete oracle DBA or just scrapping the web to get things done and focus others?

https://redd.it/1jclciv
@r_devops

Friendly reminder for you picky code-quality folks

Bitter lessons from my own 6 year journey with ~450 engineering/dev staff:

- As much as you design, document and broadcast good code standards, if you don't codify it no-one will give a shit.

I cannot stress this enough - the second I just wrote my own linter/code style/line feed/brace standards into a pull request merge-time pipeline, suddenly compliance was through the roof.

The vast majority staff in any company are there to execute the bare-minimum to claim a 9 - 5 and no more.

Instead of having one-on-one disagreements and explanation sessions with your staff, spend your time automating your quality standards.

Without qualifying all dev staff as careless - 100% of them can't ignore a YOU CAN'T MERGE THIS UNTIL YOU FIX THIS message, and I cannot explain how much friction this has removed from my work week while achieving the same goal 10x more effectively than me chasing people to adhere to our agreed standards.

Maybe it's just me that didn't think of this sooner, but my god - if you're trying to level good standards across ~2k Git repositories, automating your own standards is the only way.

https://redd.it/1jcm0wk
@r_devops

Container base images aren't scary

Your company's Architecture should be leading the charge for most base image decisions, but at least where I work now, individual product teams have historically had no guidance from Architecture ~~Architecture are useless~~ and just picked whatever they liked at the time - the result being a scatter of Alpine, Debian, Ubuntu, and various others across teams.

Docker tag conventions were super confusing for me for a long time, and it's honestly something that never really 'clicks' until you work at scale across a lot of dev teams/products and hit the niche reasons why certain distros or tags are required at certain times.

The trick to tag selection is understanding what things you specifically care about in your base image. The less specific (and usually shorter) the tag you select is, the more "defaults" will be selected for you by the image maintainer.

If we take the .NET Runtime as an example, if you request 8.0 it will give you a base image with Debian by default.

If you wanted a different underlying distro, you could select 8.0-alpine (Alpine) or 8.0-jammy (Ubuntu) instead.

You can get even more specific and say you want Alpine AND to never pull versions higher than 8.0.0 (no hotfixes/minor versions) by selecting 8.0.0-alpine, but that's rarer.

Even rarer still, you can select one of the -amd64 or -arm64 tags if you need a specific CPU architecture to build against.

---

My usual process these days for selecting an image is:

> Prefer a purpose-built image for the tech stack/language/service you're after (e.g. node, nginx) before you resort to a stock distro image (e.g. Debian).

Way less of a maintenance pain in the butt when new versions come out, and it's very likely the more specific base image will deal with oddities of that particular app/language on your behalf.

---

> At a bare minimum, the tag you select needs to be locked to the version of the stack (e.g. node, dotnet) that your codebase requires.

Please don't use latest, you're in for a world of hurt when latest becomes your version of <x> language + 1 and breaks things overnight. - if you use Kubernetes, please read the prior sentence until it's burned into your brain before you ever touch another cluster - otherwise you will find yourself wasting a whole day diagnosing "why does 1 node in my cluster run it fun and the other <x> don't".

Use proper version numbers for your final app images too - latest is awful to tag your final build images with, especially if you're using Kubernetes. Quickly you'll hit scenarios where machines think they have latest already, but you're trying to roll out a newer latest.

Shout-out to GitVersion as my place's tool of choice, but there are many other awesome tools to achieve distinct reliable versioning for your builds - at the very least you can just use the current Git SHA256 commit hash if you're lazy - THIS IS STILL BETTER THAN latest.

---

> Try and get some standards going around which underlying distribution you want to use across the organization.

At scale, it's no fun when every app team is using a different underlying distro and you constantly have to try and remember which shell or tools are available while you're attached to a container for debugging.

---

> Defaulting to Alpine as an underlying distro is a great starting point.

Alpine images are almost always significantly smaller than the corresponding Debian/Ubuntu ones.

Just beware of its musl standard C library rather than glibc like most other distros. Absolutely fine for 99% of modern apps, but some apps have to be specifically compiled for musl to work under Alpine.

---

> Don't get too caught up in image size comparisons when choosing your underlying distro, pick one you're familiar with instead.

---

edit: wanted to add that distroless images are becoming increasingly popular - while they are awesome (e.g. .NET Chiselled Ubuntu, Google's Node.js distroless) - do not focus

on going distroless before you harmonize your company's base OS/images.

Spend your days getting everyone using the same Alpine/Debian/Ubuntu/whatever image first - your challenge of moving these containers to distroless/hardened images will be 100x easier if you do.

https://redd.it/1jclbjk
@r_devops

From Where should I start a d what should I learn

So I'm a BTech IT student and after trying web development, DSA , I know these are not for me. I started learning about devops and I gained interest in it . So please suggest me some resources from where I should learn and what I should learn in particular order and suggest free resources because I've money problem.

https://redd.it/1jco1zb
@r_devops

Github actions - Runners giving role assignments

Hello :)

After researching best practices for assigning roles in an IaC workflow, I haven't found a clear, definitive "proper way" to do it.

Initially, I considered using a broker system with PIM and JIT for Azure, but this doesn’t seem to work with workload identities. While it’s possible to simulate this with code, it feels a bit janky.

Has anyone tested different approaches to handle this?

Essentially, I want to avoid giving a workload identity permanent role assignment capabilities. Is this "just the way its done", or is there a better way to achieve it?

https://redd.it/1jcsz7i
@r_devops

Help with a School Project on Cloud Management

Hey everyone! 👋

If you work with AWS, Azure, or GCP, I’d love to get your insights on cloud infrastructure management! I’m running a short survey to understand how engineers and DevOps teams handle cloud optimisation, automation, and security.

The survey is completely anonymous, and I’d really appreciate your time!

👉 **Take the survey here**

Thanks in advance for your time!

https://redd.it/1jcuox1
@r_devops

k8s monitoring costs is exploding at my startup

Please let me know if this is the correct place to post.

I'm in a bit of a situation that I wonder if any of you can relate to. I'm the fractional CTO at a rapidly growing startup (100+ microservices, elasticsearch k8s), and our observability costs are absolutely DESTROYING our cloud budget.

We're currently paying close to $80K/month just for APM/logging/metrics (not even including infrastructure costs 😭).

I've been diving deep into eBPF-based monitoring solutions as a potential way out of this mess. The promise of "monitor everything with zero code instrumentation" sounds almost too good to be true.

Has anyone here successfully made the switch from traditional APM tools (Datadog/New Relic) to eBPF-based monitoring in production?

Specifically, I'm curious about:

\- Real-world performance overhead on nodes

\- How complete is the visibility really? (especially for things like HTTP payload inspection)

\- Any gotchas with running in production?

\- Actual cost savings numbers if you're willing to share

Would love to hear your war stories and insights.

https://redd.it/1jcym3x
@r_devops

Most recognized/useful certs in DevOps?

Hello, sitting at about 5 YOE as a cloud/DevOps engineer. Have a good grasp of everything in the cloud, got a bunch of AWS and Azure certs.

Have been given some professional development time at work and they generally like us to get certificates. I was wondering if anyone could suggest a certification that is generally highly regarded in DevOps? Was leaning towards a kubernetes or possibly redhat cert.

https://redd.it/1jd1fqh
@r_devops