🥖 Palette Cleanser

The big rah rah this week was that Anthropic accidentally shipped Claude Code version 2.1.88 with a 59.8 MB TypeScript source map included in the npm package, before pulling it within hours. But was it really that bad? The compiled JavaScript bundle was always public on npm (that's just how packages work), but the source map embedded the original ~512,000 TypeScript lines exposing internal tool architecture, permission enforcement logic, trust model logic, and session token handling that would otherwise be unreadable in minified form.

Supply chain attacks are getting more targeted and sophisticated and the axios maintainer's account of how he was compromised is worth reading in full. In his own words, the attacker reached out masquerading as a company founder, having cloned both the founder's likeness and the company itself. They invited him to a real Slack workspace branded to the company, with channels sharing LinkedIn posts, fake employee profiles, and fake profiles of other OSS maintainers to build credibility. They then scheduled a Teams meeting. During the call his system displayed a message that something was out of date and he installed what he assumed was a Teams update. That was the RAT. Everything was well coordinated, looked legitimate, and was done professionally. No wonder the guy fell for it.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• AWS CodeBuild - Escalating Privileges via AWS CodeConnections by Thomas Preece

  There's an undocumented internal endpoint at codebuild-builds.{REGION}.amazonaws.com that responds to a GetBuildInfo call and returns the raw GitHub App installation token (or Bitbucket JWT token) your CodeConnections app uses to pull source. That token has administration write permissions over every repo the app has been granted access to, branch protections included. Thomas walks through the full exploit path so you can check your own environment.

• Navigating Amazon Bedrock's Multi-Agent Applications by Jay Chen and Royce Lu

  As a legitimate user with chatbot access, you can craft inputs that enumerate collaborator agents, traverse the orchestration layer, and invoke downstream tools with attacker-controlled content. Jay and Royce map out how supervisor agents process and delegate requests without reliably distinguishing adversarial inputs from legitimate ones, so a crafted payload can chain through an entire multi-agent workflow. Every agent you add to the pipeline is another link an attacker can pull.

• Enforcing AI Governance Across AWS Organizations by Nigel Sood

  Bedrock guardrails are great until you realize they're configured per account with no org-level enforcement. This post walks through five controls for pushing AI governance across an AWS Organization and the detail worth pausing on is that SCPs blocking bedrock:* don't cover model invocations made via the OpenAI-compatible SDK, which uses a completely separate bedrock-mantle IAM namespace that needs its own deny statements. There's also a good section on long-term Bedrock API keys, which silently create IAM users under the hood with permissions broad enough to delete your guardrails.

Bonusii:

• How to Connect Strands Agents to AWS MCP with IAM Authentication
• Speeding Up IAMTrail: One Boto3 Process Instead of 1,500 CLI Invocations
• AWS Credential Theft Has Been Industrialized

🥗 AWS security blogs

• 📣 Amazon SageMaker Data Agent introduces charting capabilities and support for materialized views
• 📣 Amazon ElastiCache Serverless now supports IPv6 and dual stack connectivity
• 📣 Amazon CloudWatch now supports OpenTelemetry metrics in public preview
• 📣 Amazon SageMaker Data Agent now supports geo-specific inference for Japan and Australia
• 📣 Amazon Bedrock now supports structured outputs to AWS GovCloud (US) Regions
• 📣 AWS Managed Microsoft AD adds Multi-Region replication for Opt-In regions
• 📣 AWS IAM Identity Center is now available in AWS European Sovereign Cloud (Germany) Region
• 📣 AWS Organizations now provides organization paths in API responses
• 📣 AWS Service Availability Updates
• 📣 AWS Security Agent on-demand penetration testing is now generally available
• 📣 AWS Private CA now publishes utilization metrics to Amazon CloudWatch
• 📣 Amazon CloudWatch Logs introduces lookup query command
• 📣 AWS Security Hub is now available in AWS GovCloud (US) Regions
• 📣 Amazon Athena launches Capacity Reservations in additional regions
• 📣 Amazon SageMaker Data Agent is now available in the Amazon SageMaker Unified Studio Query Editor
• AWS Unified Operations: Building Resilient Operations for Mission-Critical Workloads by Nitin Verma
• Amazon Bedrock Guardrails supports cross-account safeguards with centralized control and management by Channy Yun (윤석찬)
• Building PCI DSS-Compliant Architectures on Amazon EKS by Piyush Mattoo
• Driving Intelligent Quality in the Software-Defined Vehicle Era by Arnon Shafir
• AWS launches frontier agents for security testing and cloud operations by Swami Sivasubramanian
• Supporting GSA CUI protection requirements with AWS by Paul Keastead
• Introducing the Landing Zone Accelerator on AWS Universal Configuration and LZA Compliance Workbook by Kevin Donohue
• How AWS KMS and AWS Encryption SDK overcome symmetric encryption bounds by Panos Kampanakis
• Four security principles for agentic AI systems by Mark Ryland
• New compliance guide available: ISO/IEC 27001:2022 on AWS by Ted Tanner
• AWS Security Agent on-demand penetration testing now generally available by Ayush Singh

🍛 Reddit threads on r/aws

No threads this week.

💸 Sponsor shoutout

Meet Pleri: your AI security engineer. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🧁 IAM permission changes

• bedrock-mantle
• dataexchange
• healthlake
• s3express
• ecs
• aws-external-anthropic
• sagemaker
• sustainability
• logs
• quicksight
• aws-marketplace
• acm
• sso
• aidevops

🍪 API changes

• Agents for Amazon Bedrock
• Amazon Bedrock
• Amazon Lightsail
• Amazon CloudWatch Logs
• AWS Elemental MediaLive
• Payment Cryptography Control Plane
• Amazon AppStream
• Amazon Bedrock AgentCore Control
• Data Automation for Amazon Bedrock
• Amazon CloudWatch
• Amazon Connect Service
• AWSDeadlineCloud
• Amazon GameLift
• Amazon CloudWatch Logs
• Amazon Bedrock AgentCore Control
• Amazon Bedrock AgentCore
• Amazon Bedrock
• Amazon EC2 Container Service
• Amazon ElastiCache
• Amazon Elasticsearch Service
• AWS Health Imaging
• Amazon OpenSearch Service
• AWS Certificate Manager
• Amazon CloudFront
• AWS Data Exchange
• Amazon DataZone
• AWS DevOps Agent Service
• AWS Database Migration Service
• Amazon Location Service Maps V2
• Amazon Kinesis Analytics
• MailManager
• AWS Marketplace Agreement Service
• CloudWatch Observability Admin Service
• odb
• Amazon OpenSearch Service
• AWS Organizations
• Amazon Pinpoint SMS Voice V2
• Amazon QuickSight
• AWS S3 Control
• Amazon S3 Tables
• AWS Security Agent
• AWS Sustainability
• Amazon AppStream
• Auto Scaling
• Amazon Bedrock AgentCore
• AWSDeadlineCloud
• AWS DevOps Agent Service
• Amazon EC2 Container Service
• Amazon CloudWatch Logs
• Amazon OpenSearch Service
• Partner Central Account API
• Amazon SageMaker Service

🍹 IAM managed policy changes

• AmazonS3ExpressReadOnlyAccess
• AmazonS3ExpressFullAccess
• ReadOnlyAccess
• AnthropicLimitedAccess
• AnthropicLimitedAccess
• AmazonEventBridgeSchedulerReadOnlyAccess
• AmazonEKSLoadBalancingPolicy
• AnthropicFullAccess
• AnthropicInferenceAccess
• AnthropicLimitedAccess
• AnthropicReadOnlyAccess
• AnthropicReadOnlyAccess
• AnthropicLimitedAccess
• AnthropicInferenceAccess
• AnthropicFullAccess
• AmazonEKSLoadBalancingPolicy
• AnthropicLimitedAccess
• AWSCertificateManagerReadOnly
• AWSMarketplaceManageSubscriptions
• AWSMarketplaceRead-only
• AWSMarketplaceSellerFullAccess
• AWSMarketplaceSellerOfferManagement
• AWSObservabilityAdminTelemetryEnablementServiceRolePolicy
• AmazonPollyReadOnlyAccess
• AnthropicFullAccess
• AnthropicInferenceAccess
• AnthropicLimitedAccess
• AnthropicReadOnlyAccess
• CloudWatchSyntheticsFullAccess
• ReadOnlyAccess
• SageMakerStudioUserIAMConsolePolicy
• ViewOnlyAccess
• AnthropicReadOnlyAccess
• AnthropicLimitedAccess
• AnthropicInferenceAccess
• AnthropicFullAccess
• ViewOnlyAccess
• SageMakerStudioUserIAMConsolePolicy
• ReadOnlyAccess
• CloudWatchSyntheticsFullAccess
• AmazonPollyReadOnlyAccess
• AWSObservabilityAdminTelemetryEnablementServiceRolePolicy
• AWSMarketplaceSellerOfferManagement
• AWSMarketplaceSellerFullAccess
• AWSMarketplaceRead-only
• AWSMarketplaceManageSubscriptions
• AWSCertificateManagerReadOnly
• DBModProvisioningAndMigration
• DBModDiscoveryAndAssessment
• AWSServiceRoleForAWSTransformCustom
• AWSPartnerProServeToolsOrganizationReaderIndividualContributor
• AWSPartnerProServeToolsIndividualContributor
• AWSPartnerProServeToolsFullAccess
• AWSElementalMediaConnectDeleteFlow
• AWSElementalMediaConnectDeleteBridge
• AWSElementalMediaConnectCreateFlow
• AWSElementalMediaConnectCreateBridge
• AWSEC2VssRestorePolicy
• AWSBedrockAgentCoreGatewayNetworkServiceRolePolicy
• AIDevOpsOperatorAppAccessPolicy
• AIDevOpsAgentReadOnlyAccess
• AIDevOpsAgentFullAccess
• AIDevOpsAgentAccessPolicy
• SageMakerStudioUserIAMPermissiveExecutionPolicy
• SageMakerStudioUserIAMDefaultExecutionPolicy
• SageMakerStudioProjectUserRolePolicy
• SageMakerStudioAdminIAMPermissiveExecutionPolicy
• SageMakerStudioAdminIAMDefaultExecutionPolicy
• SageMakerStudioAdminIAMConsolePolicy
• ReadOnlyAccess
• BedrockAgentCoreFullAccess
• AmazonSSMAutomationRole
• AmazonGuardDutyServiceRolePolicy
• AmazonEVSServiceRolePolicy
• AmazonBedrockLimitedAccess
• AWSServiceRolePolicyForBackupRestoreTesting
• AWSServiceRoleForImageBuilder
• AWSServiceRoleForAIDevOpsPolicy
• AWSSecurityAgentWebAppPolicy
• AWSManagementConsoleBasicUserAccess
• AWSManagementConsoleAdministratorAccess
• AWSControlTowerServiceRolePolicy

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

• CVE-2025-13763 - opensc, crafted USB/smart card exploitation, CVSS 3.9
• CVE-2026-34982 - Vim, sandbox bypass/arbitrary OS command execution, CVSS 8.2
• CVE-2026-35536 - Tornado, cookie attribute injection via unvalidated args, CVSS 5.4
• CVE-2026-35535 - sudo, privilege escalation via failed setuid call, CVSS 7.4
• CVE-2026-27456 - util-linux, TOCTOU race condition in loop device, CVSS 4.7
• CVE-2026-35549 - MariaDB, DoS crash via large auth packet, CVSS 6.5
• CVE-2026-35388 - OpenSSH, missing proxy-mode connection confirmation, CVSS 4.3
• CVE-2026-34826 - Rack, denial of service, CVSS 5.3
• CVE-2026-35414 - OpenSSH, CA comma char mishandling in authorized_keys, CVSS 5.4
• CVE-2026-34827 - Rack, DoS via multipart parameter parsing, CVSS 7.5
• CVE-2026-34763 - Rack, path traversal/info disclosure via regex metachar, CVSS 5.3
• CVE-2026-5342 - LibRaw, out-of-bounds read, CVSS 5.3
• CVE-2026-5318 - LibRaw, out-of-bounds write in JPEG DHT parser, CVSS 6.5
• CVE-2026-35386 - OpenSSH, command execution via shell metachar in username, CVSS 4.8
• CVE-2026-34786 - Rack, security header bypass via URL encoding, CVSS 5.3
• CVE-2026-26962 - Rack, header injection via multipart header unfolding, CVSS 4.8
• CVE-2026-32762 - Rack, HTTP header parsing bypass/parameter smuggling, CVSS 4.8
• CVE-2026-34831 - Rack, incorrect Content-Length causing desynchronization, CVSS 4.8
• CVE-2026-34785 - Rack, path traversal via static file prefix matching, CVSS 7.5
• CVE-2026-34829 - Rack, DoS via unbounded disk use in multipart parsing, CVSS 7.5
• CVE-2026-34591 - python-poetry-core, arbitrary file write via crafted wheel, CVSS 6.5
• CVE-2026-34230 - Rack, DoS via quadratic Accept-Encoding processing, CVSS 5.3
• CVE-2026-26961 - Rack, request smuggling via multipart boundary mismatch, CVSS 3.7
• CVE-2026-34830 - Rack, regex injection via X-Accel-Mapping header, CVSS 5.9
• CVE-2026-34835 - Rack, host header poisoning via improper AUTHORITY regex, CVSS 4.8
• CVE-2026-35385 - OpenSSH, improper file permissions in scp downloads, CVSS 7.5
• CVE-2026-35387 - OpenSSH, ECDSA algorithm misinterpretation in key acceptance, CVSS 3.7
• CVE-2026-35093 - libinput, local privilege escalation via Lua bytecode, CVSS 8.8
• CVE-2026-33691 - mod_security_crs, file upload extension check bypass, CVSS 6.8
• CVE-2026-34544 - OpenEXR, out-of-bounds write, CVSS 6.6
• CVE-2026-34545 - OpenEXR, heap buffer overflow, CVSS 8.8
• CVE-2026-35094 - libinput, dangling pointer/info disclosure, CVSS 3.3
• CVE-2026-35091 - Corosync, out-of-bounds read via wrong return value, CVSS 8.2
• CVE-2026-35092 - Corosync, integer overflow in join message validation, CVSS 7.5
• CVE-2026-34543 - OpenEXR, information disclosure, CVSS 6.5
• CVE-2024-14030 - Sereal::Decoder, buffer overwrite in embedded Zstandard library, CVSS 8.1
• CVE-2026-5201 - gdk-pixbuf2, heap-based buffer overflow in JPEG loader, CVSS 7.5
• CVE-2026-34073 - python-cryptography, DNS name constraint validation bypass, CVSS 3.7
• CVE-2026-33997 - Docker/Moby, privilege validation bypass in plugin install, CVSS 6.8
• CVE-2024-14031 - Sereal::Encoder, buffer overwrite in embedded Zstandard library, CVSS 8.1

📺 AWS security bulletins

No bulletins this week.

🚬 Security documentation changes

• EKS - Kubernetes 1.32 support added with anonymous authentication restrictions.
• EKS - Platform versions updated for Kubernetes 1.30-1.35, removed 1.29.
• Marketplace - Seller registration now requires photo ID and tax ID verification.
• Redshift - Serverless IAM trust policy example now includes confused deputy protections.
• RES - S3 bucket policy example warns s3:* allows metadata exfiltration.
• Security Hub - New finding for publicly shared RDS snapshots.
• ACM - Public certificates created before June 17, 2025 cannot be exported.
• Notifications - Removed iam:CreateServiceLinkedRole from policy examples.
• Redshift - Patch 200 release notes with IAM Identity Center and security fixes.
• Athena - ODBC v2.1.0.0 added PKCE for authorization code interception prevention.
• Athena - ODBC v2.1.0.0 added CSRF protection via RelayState validation.
• Athena - ODBC updated to Authorization Code + PKCE with port hijacking warning.
• Athena - ODBC v2.1.0.0 breaking change: SSL on by default, TLS 1.2 enforced.
• Athena - ODBC v2.1.0.0 release notes.
• Athena - ODBC download links updated to v2.1.0.0.
• Athena - What's New entry for ODBC v2.1.0.0 security improvements.
• AWS Backup - Added security auto-remediation considerations.
• Corretto - Signature verification public key filename updated.
• EventBridge - SNS topic policy condition key corrected from AWS:SourceOwner to AWS:SourceAccount.
• Inspector - CVE-2026-33997 and CVE-2026-34040 added to SBOM Generator history (not impacted).
• Managed Services - Four new change types: VPN tunnel replacement, VPC route deletion, DNS scavenging, RDS parameter groups.
• Managed Services - Documentation history updated for the above four change types.