Operations | Monitoring | ITSM | DevOps | Cloud

The latest News and Information on Continuous Integration and Development, and related technologies.

Multiple Malicious Packages Discovered on PyPI, npm, and RubyGems

Evidence of broad and sustained attacks using several npm, Python, and Ruby packages continues to emerge. A series of malicious packages have been added to the npm, PyPI, and RubyGems package repositories. The attacks have been ongoing for some time, with some seeded years ago. Their aims are manifold, including stealing funds from crypto wallets, deleting codebases, and obtaining Telegram messaging data.

Hyperparameter tuning for LLMs using CircleCI matrix workflows

Hyperparameter tuning is a critical step in optimizing large language models (LLMs). Parameters such as learning rate, batch size, weight decay, and number of training epochs can significantly affect convergence behavior and final model performance. While several approaches like grid search or random search are widely used, executing them manually is inefficient; especially when each training run is compute-intensive.

Docker Hardened Images for tightened security and strong provenance

Docker's VP of Product, Michael Donovan, gives a quick overview of Docker Hardened Images and how they make open source software available in a hardened image container. They're minimal images with less attack surface and SLSA level 3 artifact compliance. They carry extensive provenance data, including SBOMs, CVEs, and VEX. Be confident that your software is safer from attack using Docker Hardened Images and Cloudsmith.

Michael Donovan, VP of Product at Docker, has a hot take on shift left security

Shift left means improving security at the early stages of software development. Is it the best approach? See the full webinar: https:/cloudsmith.com/webinars Get to know Cloudsmith: About Cloudsmith We offer the world's best cloud-native artifact management platform to control, secure, and distribute everything that flows through your software supply chain. Cloudsmith operates at enterprise scale, reduces risk, and streamlines builds.
Sponsored Post

CI/CD vs. EaaS: Choosing the Right Development Workflow

CI/CD (Continuous Integration/Continuous Deployment) automates code integration, testing, and deployment. It speeds up development, improves code quality, and ensures reliable releases. EaaS (Environments as a Service) provides temporary, production-like environments for testing, staging, or demos. It streamlines resource usage, speeds up validation, and supports parallel development.

Check the status of your CircleCI pipeline without leaving your IDE

Waiting on CI is one thing. Keeping tabs on it without breaking focus is another. Most developers track build progress by opening the CircleCI UI, navigating to the project, and digging through pipelines to find the latest run for a specific branch. It’s not hard, but it pulls you out of flow. Especially when you’re doing it multiple times a day across projects.

OWASP CI/CD Part 4: Poisoned Pipeline Execution (PPE)

Modern development teams often rely on Continuous Integration (CI) pipelines to automate testing, building, and deployment of their code These pipelines are typically defined through configuration files stored within the source code repository. Developers, DevOps engineers, or other contributors with the appropriate permissions frequently need to edit these files to adjust workflows, add new checks, or support evolving project requirements.

End-to-end testing and deployment of a multi-agent AI system with Docker, LangGraph, and CircleCI

Multi-agent AI systems are transforming how intelligent applications are built. By orchestrating multiple specialized agents that collaborate to solve complex tasks, these systems enable more dynamic and efficient workflows. However, deploying such a system reliably and at scale requires a structured approach to testing, packaging, and automation.