Postgres’ Breakout Year, Agent Protocols Rise, and a Six‑Bug RCE Wake‑Up Call
NEWSLETTER | Amplifi Labs
Postgres Dominates 2025: MCP Everywhere, New Formats, M&A Frenzy
Around the web • January 5, 2026
PostgreSQL extended its lead in 2025 with v18 (async I/O, skip scans, optimizer upgrades) and a wave of Postgres-centric moves: Databricks bought Neon ($1B), Snowflake acquired CrunchyData ($250M), Microsoft launched HorizonDB, and new sharding efforts (Supabase’s Multigres, PlanetScale’s Neki) targeted horizontal scale. Across the stack, Anthropic’s Model Context Protocol—boosted by OpenAI support—became table stakes for agent/database integration, raising permissioning and guardrail concerns, while new columnar formats (Vortex, F3, AnyBlox) pressured Parquet to modernize. Heavy M&A, a Fivetran–dbt merger, and several shutdowns signal consolidation and OLAP commoditization; meanwhile, MongoDB’s lawsuit against FerretDB highlights escalating battles over API compatibility.
Security, Attestation, and Real-World Exploits
Six-bug chain yields pre-auth RCE in LogPoint SIEM/SOAR
Around the web •January 1, 2026
A researcher demonstrates how permissive Nginx routing, a hard‑coded JWT signing secret, leaked internal API credentials, an SSRF pivot to host-only Python endpoints, a reachable eval sink, and a static AES key combine into pre‑auth remote code execution on the LogPoint appliance. The chain traverses dual Nginx, Dockerized Java microservices, and a host Flask backend—escalating via a forged secbi_auth_token to a hidden ‘secbi’ superuser before triggering code execution through the rule engine. Patches shipped in 7.5.0 with multiple CVEs; operators should upgrade immediately and audit for path-based exposure, static secrets, SSRF, and eval sinks.
Linux TCG_TPM2_HMAC Fails Active Interposer Threat; Disabled by Default
Around the web •January 5, 2026
A deep dive shows Linux’s TCG_TPM2_HMAC, which encrypts/HMACs TPM bus traffic using a boot-volatile Null Primary Key, inverts the measured-boot trust chain by delegating key attestation to userspace—letting active interposers spoof the key and tamper with PCR extends despite heavy crypto overhead. Remote attestation doesn’t resolve which key the kernel actually used, so protections can be bypassed while appearing intact. The feature was re-disabled by default in Linux 6.18 (Aug 2025); passive snooping is better handled with EK-based encrypted sessions, and robust defenses require a CPU-integrated root of trust (e.g., Caliptra).
AI in Production: Patterns and Product Shifts
Curated Agentic AI Patterns to Ship Production-Ready Agents
Around the web •January 4, 2026
An open, Apache-2.0 catalog compiles repeatable agentic AI patterns from real-world implementations, covering orchestration and control, context and memory, feedback loops, tool use, UX/collaboration, and reliability/eval. The repo provides concrete, reference-backed mini-architectures (e.g., task decomposition, vector caches, guardrails, eval harnesses) and welcomes community PRs that auto-generate listings. Useful for teams moving beyond demos, it shortens time-to-production and improves reliability of autonomous and semi-autonomous agents.
Microsoft rebrands Office to Microsoft 365 Copilot, unifying apps and AI
Around the web •January 5, 2026
Microsoft has rebranded Office as the Microsoft 365 Copilot app, centralizing Microsoft 365 apps and Copilot Chat in a single, AI-first experience. The app prioritizes quick access to generative assistance, collaboration, and OneDrive-backed content with enterprise data protections. Organizations should expect UI/navigation changes and wider Copilot touchpoints across daily workflows.
Developer Tools and Systems Engineering
taws: Open-source k9s-style Terminal UI for Managing AWS
Around the web •January 4, 2026
taws is an open-source Rust TUI that lets you browse and interact with 90+ AWS resource types across 60+ services, with multi-profile/region support, real-time updates, and Vim-like navigation. It offers detailed JSON/YAML views, filtering/autocomplete, read-only mode for safer audits, and common actions like starting/stopping/terminating EC2 instances. Install via Homebrew, Cargo, or platform binaries; standard AWS credentials and Describe/List IAM permissions are required.
Open-Source Analyzer Brings Rust-Like Borrow Rules to C++
Around the web •January 5, 2026
A new open-source static analyzer aims to bring Rust-style borrow checking and memory safety to C++ without compiler changes, using comment-based @safe/@unsafe annotations and external API lifetime specifications. Built on libclang, it provides a CLI that reads compile_commands.json, optional CMake integration, Rust-inspired types (Box/Arc/Vec/Option/Result), and Send/Sync concepts for thread-safety. The author reports building it rapidly with AI coding assistants, highlighting how LLM-driven development is accelerating systems tooling.
UX and Accessibility in Practice
Practical UX Patterns for Deaf and Hard-of-Hearing Users
Smashing Magazine •December 30, 2025
A practical guide details how to design digital products for Deaf, deaf, and hard‑of‑hearing users, noting that deafness is a spectrum, most users don’t know sign language, and lip reading captures only ~30% of words. Recommendations include offering non‑phone contact and multimodal communication, transcripts and high‑quality captions that identify speakers and describe non‑speech sounds, haptic/mobile alerts, and video practices that support facial cues. Treat accessibility as a first‑class requirement and test with the community to broaden reach to the 466M people with hearing loss while avoiding costly retrofits.
