AWS Security Digest #262 - Not Private

Credential exposure continues to be a top‑tier risk for cloud‑first organizations. The recent CISA incident—where administrative GovCloud keys were committed to a public repository—underscores how even well‑funded agencies can stumble on basic secret‑management hygiene. Attackers who discover such keys gain unfettered access to high‑privilege resources, and the 48‑hour window before remediation demonstrates the need for continuous secret‑scanning and automated key rotation. Enterprises should adopt tools like AWS Security Hub’s unused‑access detection and integrate third‑party secret‑detection pipelines to catch leaks before they become exploitable.

Supply‑chain attacks are evolving from simple malicious packages to sophisticated worms that harvest cloud credentials. The TeamPCP npm worm, now in its fifth wave, infiltrated Alibaba’s popular @antv visualization library, spreading across 323 packages and reaching roughly 16 million weekly downloads. Its payloads scrape AWS metadata services, IMDS, and Secrets Manager, then persist via compromised GitHub Actions workflows and a trojanized VSCode extension. This escalation forces security teams to treat every dependency update as a potential breach vector, enforce least‑privilege CI roles, and eliminate long‑lived keys in pipelines. Coupled with the release of Pathfinding Labs’ 100+ vulnerable AWS environments, practitioners have a sandbox to validate detection capabilities against realistic privilege‑escalation paths.

On the defensive side, AWS rolled out several enhancements: Security Agent now includes verification scripts for pentest findings, Security Hub can flag unused identities, and the new ExtendDB open‑source DynamoDB‑compatible adapter expands data‑store options. Meanwhile, Anthropic’s Claude Platform on AWS arrives with IAM‑based SigV4 authentication, reinforcing the trend toward native, auditable AI services. However, structural flaws like Kubernetes CVE‑2021‑25740 remain unpatched, allowing cross‑namespace traffic hijacking in shared EKS load balancers. Organizations should isolate load balancers, adopt the Gateway API, and restrict routing‑table write permissions to mitigate this lingering threat. Together, these developments illustrate a shifting security landscape where proactive credential hygiene, supply‑chain vigilance, and robust tooling are essential for resilient cloud operations.