Monday,
September 22, 2025

🥖 Palette Cleanser

Imagine, for a moment, a software ecosystem that has external libraries for trivial operations like "is-odd" and "is-even," and those libraries are used by thousands of projects. Now, further imagine that ecosystem catching on fire due to a worm that uses package distribution to steal credentials and replicate. After imagining the former, the latter doesn't feel like a stretch to me.

Anyway... that's exactly what happened this week with the malware campaign dubbed "Shai-Hulud," named after the Git branch it creates in code repos after stealing creds and making those repos public. Over 500 packages have been compromised as post-installation scripts run on systems that install the poisoned packages and then proceed to compromise even more. Isn't JavaScript/Node/NPM just the best? Pin your packages, rotate your creds, and stay safe online, friends.

In better news, AWS shipped some sweet updates to the CLI we all love. The "configure" command now supports temporary credentials. Previously, the prompter did not ask you for an "aws_session_token," but now it will if appropriate. There's also a new "configure mfa-login" command, which handles getting MFA-protected temporary credentials with an OTP-based authenticator for an IAM user. That's a lot less messing around to be secure for us nerds.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

  • Creating an OpenSearch Service cluster and configuring authentication and authorization by Arseny Zinchenko

    The post shows how to spin up an Amazon OpenSearch Service cluster and then wrangle the messy layers of access: network, IAM, and OpenSearch’s own fine-grained access control. Of course, there are IAM gotchas, like if your IAM policy uses ".../domain/test/*," you can run searches, but cluster-level calls like "es:AddTags" will fail unless the resource is set to just ".../domain/test".

  • A Candid Perspective on the Cloud Threat Landscape: A Recap from fwd:cloudsec EU by Invictus

    Apparently, AWS accounted for nearly a quarter of observed cloud incidents so far this year, with most cases starting from compromised accounts and supply-chain pivots. Long-lived IAM keys and weak monitoring are still the soft spots, and the write-up calls out the need to actually map AWS-specific TTPs - like those in the AWS Threat Technique Catalog - so defenders stop drowning in theory and start detecting what’s really happening in their logs. Oracle Cloud accounted for 2%, and it made me wonder if we're going to need an Oracle Security Digest once they buy TikTok?

  • Is GDLockerSec Really Targeting AWS? by KELA

    If you've never had to deal with a minimal-info claim of a data breach, I'm willing to bet you are living your best life. GDLockerSec tried to boost its profile by claiming it had breached Amazon AWS and was sitting on a 9GB leak. KELA dug in and found the “AWS data” was nothing more than a public Kaggle training set stored in an S3 bucket, with no sign of compromise to AWS itself. Some fun OpSec fails inside.

Bonus: Beyond CVEs: The Exploitation of Everyday Misconfigurations

🥗 AWS security blogs

🍛 Reddit threads on r/aws

💸 Sponsor shoutout

Pleri logo

Meet Pleri: your AI-powered cloud security teammate. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🤖 Dessert

Dessert is made by robots, for those that enjoy the industrial content.

🧁 IAM permission changes

🍪 API changes

🍹 IAM managed policy changes

☕ CloudFormation resource changes

🎮 Amazon Linux vulnerabilities

📺 AWS security bulletins

    No bulletins this week.

🚬 Security documentation changes

YouTube Twitter LinkedIn

Crafted with ❤️ by Plerion. We simplify cloud security.