🥖 Palette Cleanser

A CISA contractor made an oopsie, checked administrative AWS GovCloud keys into a public GitHub repo named Private-CISA (I name all my projects "secure" so hackers know not to bother) in November 2025, and left them there until an external secrets scanner caught them on May 15. The exposed credentials authenticated at high privilege to three GovCloud accounts and CISA's internal artifactory, and they were still live 48 hours after notification. If the agency whose entire reason for existence is helping orgs prevent this exact failure cannot stop it, then what we all need to be planning for the inevitable failures at our employers.

Software supply chain attacks are not slowing down. The TeamPCP npm worm hit @antv this week, Alibaba's open-source data viz suite, as part of a 323-package blast radius totaling ~16M weekly downloads. Payloads grep for AWS access keys and scrape IMDS, ECS metadata, and Secrets Manager, with parallel persistence through GitHub Actions workflows and the trojanized nrwl.angular-console VSCode extension. This is wave FIVE in the post-Shai-Hulud series after TanStack, UiPath, and Mistral, with each wave broadening the cloud-credential surface. Scope CI roles tight, kill long-lived keys in pipelines, and assume the next package update is the next wave.

Have feedback about AWS Security Digest? Tell us here. This issue is also available to share online.

📋 Chef's selections

• Pathfinding Labs: Deploy, test, and learn from 100+ intentionally vulnerable AWS environments by Seth Art

  Seth makes the coolest projects. Pathfinding.cloud previously documented AWS privilege escalation paths and Pathfinding Labs is the next step. A Go CLI called plabs deploys 100+ intentionally vulnerable AWS labs covering self-escalation, one-hop and multi-hop chains, cross-account scenarios, toxic combinations, and broader CSPM misconfigurations. Each lab comes with CTF-style hints and full walkthroughs. It answers a question most blue teams could not previously answer cheaply: does my CSPM and SIEM stack actually catch this path?

• 3 prerequisites to adopting Claude Platform on AWS by Nigel Sood

  Claude has gone from niche to default in a year, and enterprises are now working out how to actually buy and govern it without spinning up a separate Anthropic relationship for every team that wants in. AWS answered that on May 11 with Claude Platform on AWS: Anthropic's full native platform (Messages API, Skills, MCP connector, managed agents, code execution, the lot) authenticated via SigV4 or API key with IAM-based access control, billed through AWS Marketplace, audited through CloudTrail, with inference still running on Anthropic-managed infrastructure outside the AWS security boundary. The article walks three controls to land before adoption. SCPs with identity allowlists restricting who can touch critical workspaces, killing long-term Anthropic API keys so SigV4-signed requests from short-lived AWS credentials are the only path in, and CloudTrail data events enabled so model invocations and agent, session, skill, and memory actions actually show up in the audit trail.

• Unpatchable Vulnerabilities of Kubernetes: CVE-2021-25740 by Rory McCune

  CVE-2021-25740 is one of those structural Kubernetes flaws that does not get patched because the behaviour is intentional. Kubernetes lets any user with the default namespace edit role rewrite the routing table that tells a shared load balancer which pods to send traffic to (the Endpoints and EndpointSlice objects), so a regular tenant can quietly repoint another tenant's traffic at their own pods and the victim sees nothing. The post walks the routing model carefully before laying out the attack, and it is a clean read on what makes the issue structural rather than fixable. For multi-tenant EKS clusters where a shared AWS Load Balancer Controller registers pod IPs directly into ALB or NLB target groups this is live today, and the only real mitigations are avoiding shared LBs, migrating to the Gateway API which makes cross-namespace routing opt-in, and stripping that routing-table write permission off the default edit role so only Kubernetes controllers hold it.

🥗 AWS security blogs

• 📣 AWS Security Agent adds verification scripts for pentest findings
• 📣 AWS Security Hub now uncovers identity risks from unused access
• 📣 Security Hub Extended expands to 21 curated partner solutions across 9 categories
• 📣 AWS announces ExtendDB, an open source DynamoDB-compatible adapter
• 📣 Amazon MWAA now supports Apache Airflow 3.2
• 📣 Amazon Inspector is now available in the AWS Asia Pacific (Taipei) Region
• AWS KY3P report now available for third-party supplier due diligence by Michael Murphy
• Automating identity lifecycle and security with AWS Directory Service APIs by Ali Alzand
• Why Policy in Amazon Bedrock AgentCore chose Cedar for securing agentic workflows by Liana Hadarean
• AWS Security Hub Extended: Why enterprise security products should sell themselves by Michael Fuller
• CIRT insights: How to help prevent unauthorized account removals from AWS Organizations by Shannon Brazil
• Governing infrastructure as code using pattern-based policy as code by Guptaji Teegela

🍛 Reddit threads on r/aws

• I bypassed AWS API Gateway auth with a trailing slash. Got $12K bounty.
• AWS Organizations now supports higher quotas for service control policies (SCPs)
• Pathfinding Labs: Deploy, test, and learn from 100+ intentionally vulnerable AWS environments
• Authorization Bypass in Amazon Quick: Unauthorized AI Chat Agent Usage
• Is it risky to disable expensive AWS WAF, when all I have is three 1-page placeholder sites with no links or interactive elements?
• I got sick of all the security tools so just made one myself

💸 Sponsor shoutout

Meet Pleri: your AI security engineer. She’s not a chatbot. Pleri proactively finds meaningful security work and fixes issues before they become problems.

Learn more about Pleri and see her in action.

🧁 IAM permission changes

• s3
• transfer
• evs
• kms
• braket
• sagemaker
• ecs
• config

🍪 API changes

• Amazon DataZone
• Amazon Elastic Compute Cloud
• AWS Invoicing
• AWS Performance Insights
• Amazon Q Connect
• AWS Security Agent
• Amazon Bedrock AgentCore Control
• AWS Clean Rooms Service
• AWS Clean Rooms ML
• Amazon Elastic VMware Service
• AWS MediaConnect
• Amazon SageMaker Service
• Amazon Verified Permissions
• Amazon Bedrock Runtime
• Amazon Connect Customer Profiles
• AWS Key Management Service
• Payment Cryptography Data Plane
• AWS DevOps Agent Service
• Amazon Managed Grafana
• Amazon GuardDuty
• RTBFabric
• Amazon SageMaker Service
• Access Analyzer
• Amazon Elastic Compute Cloud
• Amazon EC2 Container Service
• Amazon QuickSight

🍹 IAM managed policy changes

• AIDevOpsOperatorAppAccessPolicy
• SageMakerStudioProjectRoleMachineLearningPolicy
• AmazonQDeveloperAccess
• AmazonQFullAccess
• AWSApplicationAutoscalingECSServicePolicy
• AWSControlTowerServiceRolePolicy
• WAFLoggingServiceRolePolicy
• AWSControlTowerAccountServiceRolePolicy
• WAFV2LoggingServiceRolePolicy
• WAFRegionalLoggingServiceRolePolicy
• AdministratorAccess-AWSElasticBeanstalk
• AWSElasticBeanstalkReadOnly
• AmazonEKSComputePolicy
• AmazonConnectServiceLinkedRolePolicy
• SecurityAudit
• ReadOnlyAccess

☕ CloudFormation resource changes

No resource updates this week.

🎮 Amazon Linux vulnerabilities

• CVE-2026-39829: Go SSH RSA/DSA key size DoS
• CVE-2026-45664: ImageMagick MNG coder list-limit bypass DoS
• CVE-2026-47166: ImageMagick distribute-cache heap over-read
• CVE-2026-39835: Go SSH CertChecker nil-callback panic DoS
• CVE-2026-45031: ImageMagick PSD list-length policy bypass
• CVE-2026-45359: ImageMagick connected-components heap over-read
• CVE-2026-46523: ImageMagick MSL coder heap UAF
• CVE-2026-42508: Go SSH revoked CA SignatureKey not checked
• CVE-2026-42326: ImageMagick IPTC OOB read
• CVE-2026-46559: ImageMagick JP2 1-byte heap over-write
• CVE-2026-45358: ImageMagick meta encoder off-by-one read
• CVE-2026-39827: Go SSH rejected-channel memory exhaustion DoS
• CVE-2026-46595: Go SSH source-address validation bypass
• CVE-2026-39828: Go SSH PartialSuccessError perms silently dropped
• CVE-2026-46522: ImageMagick MIFF infinite loop DoS
• CVE-2026-9256: NGINX rewrite module heap overflow, RCE if no ASLR
• CVE-2026-46693: ImageMagick distribute-cache fd hijack race
• CVE-2026-39830: Go SSH unsolicited-response resource leak DoS
• CVE-2026-39832: Go SSH agent destination-restrictions stripped
• CVE-2026-39833: Go SSH ConfirmBeforeUse constraint not enforced
• CVE-2026-46692: ImageMagick distribute-cache heap over-write
• CVE-2026-8376: Perl Perl_study_chunk buffer overflow
• CVE-2026-46557: ImageMagick fx operation stack overflow
• CVE-2026-46521: ImageMagick MIFF LZMA OOB write
• CVE-2026-45624: ImageMagick polynomial distortion OOB read
• CVE-2026-46598: Go ed25519.PrivateKey wire-decode panic DoS
• CVE-2026-39834: Go SSH channel write integer-overflow loop
• CVE-2026-46520: ImageMagick multi-image OOB heap write
• CVE-2026-46597: Go SSH AES-GCM packet decoder panic
• CVE-2026-39831: Go SSH FIDO/U2F user-presence check missing
• CVE-2026-47165: ImageMagick distributed pixel cache adds auth
• CVE-2026-45075: Symfony IsGranted authz skipped on HEAD requests
• CVE-2026-9149: libsolv .solv parser heap buffer overflow
• CVE-2026-46529: Evince/Atril/Xreader command injection in ev_spawn
• CVE-2026-43617: rsync daemon hostname ACL bypass via PTR
• CVE-2026-41292: Unbound EDNS-options parse DoS
• CVE-2026-5946: BIND named crash via crafted DNS message
• CVE-2026-43618: rsync compressed-token integer overflow info leak (8.1)
• CVE-2026-44608: Unbound RPZ XFR UAF on multi-thread
• CVE-2026-9064: 389-ds LDAP controls DoS
• CVE-2026-44390: Unbound name-compression DoS via large RRsets
• CVE-2026-29518: rsync TOCTOU symlink redirects file writes
• CVE-2026-47783: memcached SASL username timing side-channel
• CVE-2026-33278: Unbound DNSSEC validator dangling ptr, RCE (8.1)
• CVE-2026-42959: Unbound DNSSEC validator uninit-ptr crash
• CVE-2026-3592: BIND resolver server list size limit added
• CVE-2026-42944: Unbound EDNS options heap overflow
• CVE-2026-9150: libsolv Debian metadata stack overflow
• CVE-2026-42960: Unbound additional-section cache poisoning
• CVE-2026-47784: memcached SASL password memcmp timing
• CVE-2026-5950: BIND recursion loop bound added
• CVE-2026-43620: rsync receiver OOB read crash
• CVE-2026-3039: BIND GSS-API resource leak
• CVE-2026-43619: rsync symlink TOCTOU on chmod/lchown/etc
• CVE-2026-9087: Keycloak cross-session IdP-link bypass
• CVE-2026-42534: Unbound jostle bypass via duplicate queries
• CVE-2026-40622: Unbound ghost-domain TTL extension
• CVE-2026-42923: Unbound NSEC3 negative-cache lockup DoS
• CVE-2026-32792: Unbound DNSCrypt underflow heap overflow
• CVE-2026-5947: BIND SIG(0) signed response crash
• CVE-2026-45232: rsync HTTP proxy line off-by-one stack write
• CVE-2026-3593: BIND DoH HTTP/2 SETTINGS UAF
• CVE-2026-8957: Firefox Enterprise Policies privesc
• CVE-2026-8955: Firefox DOM Workers privesc
• CVE-2026-40930: libpng APNG ancillary chunks reinterpreted as header
• CVE-2026-8963: Firefox Web Speech spoofing
• CVE-2026-8974: Firefox/Thunderbird memory safety bugs
• CVE-2026-8962: Firefox DOM Security mitigation bypass
• CVE-2026-8969: Firefox DOM Security mitigation bypass
• CVE-2026-8975: Firefox/Thunderbird memory safety bugs (8.8)
• CVE-2026-8951: Firefox Android toolbar spoofing
• CVE-2026-32739: libheif HEIF stts infinite loop DoS
• CVE-2026-8958: Firefox process-sandbox info disclosure/escape
• CVE-2026-5090: perl Template-Toolkit HTML filter single-quote XSS
• CVE-2026-8970: Firefox Security privesc (8.8)
• CVE-2026-8946: Firefox Web Codecs boundary bug (8.8)
• CVE-2026-8973: Firefox memory safety bugs (8.8)
• CVE-2026-8971: Firefox Networking JAR same-origin bypass
• CVE-2026-8953: Firefox A11y APIs UAF sandbox escape
• CVE-2026-8956: Firefox Networking JAR integer overflow
• CVE-2026-8972: Firefox WebRTC A/V privesc
• CVE-2026-8948: Firefox DOM Networking same-origin bypass (8.2)
• CVE-2026-8945: Firefox Android sandbox escape
• CVE-2026-32882: libheif overlay heap over-read (7.1)
• CVE-2026-8968: Firefox Web Codecs invalid-ptr DoS
• CVE-2026-8960: Firefox WebExtensions spoofing
• CVE-2026-8965: Firefox DOM Security info disclosure
• CVE-2026-8711: NGINX JS js_fetch_proxy heap overflow, RCE if no ASLR (8.1)
• CVE-2026-8950: Firefox Networking HTTP same-origin bypass
• CVE-2026-8967: Firefox WebGPU info disclosure
• CVE-2026-8959: Firefox Widget Win32 sandbox escape
• CVE-2026-8947: Firefox DOM Bindings UAF (8.8)
• CVE-2026-32814: libheif HEIF grid uninit heap info leak
• CVE-2026-8961: Firefox Form Autofill spoofing
• CVE-2026-32740: libheif grid chroma heap overflow (8.8)
• CVE-2026-32738: libheif HEIF stsc underflow SEGV
• CVE-2026-32741: libheif mask image heap overflow (7.1)
• CVE-2026-8949: Firefox Widget Win32 integer overflow
• CVE-2026-8964: Firefox Popup Blocker spoofing
• CVE-2026-8952: Firefox Application Update privesc
• CVE-2026-8966: Firefox IP Protection info disclosure
• CVE-2026-8954: Firefox A/V boundary/integer overflow (7.6)

📺 AWS security bulletins

• CVE-2026-8838 - Remote Code Execution in amazon-redshift-python-driver
• CVE-2026-9255 - Tool Execution Without Authorization via Piped Stdin in Kiro CLI
• CVE-2026-9133 - Arbitrary file read in rabbitmq-aws plugin
• CVE-2026-9291 - Insecure Deserialization in Amazon Braket SDK Job Results Processing

🚬 Security documentation changes

• ECS co-located task isolation risks expanded
• ECS adds IMDS blocking rec for co-located tasks
• ECS expands co-located task warnings (EC2/Managed/Anywhere)
• IAM warns network-condition Deny blocks service-to-service calls
• Route53 docs drop account setup, link out
• Amazon Q adds artifacts preview for cross-service jobs
• Amazon Q policies pick up artifact permissions
• Amazon Q artifacts policy example with IAM + CFN warnings
• Athena docs drop account setup, link out
• Audit Manager docs drop admin user setup mention
• Audit Manager docs drop root hardening section, link out
• B2BI docs drop account setup, link out
• Bedrock drops 'anonymized' from classifier metrics description
• Chatbot docs drop account setup, link out
• CLI adds KMS SourceArn grant constraint note for ReEncrypt
• CLI/MWAA adds PUBLIC_AND_PRIVATE webserver access mode
• CloudShell FAQ clarifies root-access boundary
• CodeBuild fixes GitHub MAINTAIN role, adds custom role mapping
• Comprehend docs drop account setup, link out
• Connect adds self-managed SMS opt-out via Lambda + Lex
• Control Tower warns of Config data loss during upgrade
• Control Tower IAM moves BatchDescribeTypeConfigurations to wildcard
• DMS covers Aurora MySQL 8.4 TLS + cipher changes
• EKS docs typo fix in instance lifetime section
• EKS Capabilities docs grammar fix
• EKS clarifies control-plane termination warning during updates
• FreeRTOS docs drop account setup, link out
• Kendra docs drop account/MFA/Identity Center setup
• KMS adds new grant condition keys
• KMS grant best practices + duplicate-grant warning updated
• KMS clarifies grant-retirement perms for service principals
• AL2023.11.20260514 release: curl/firefox/kernel/python/ruby
• AL2 vs AL2023.11 package comparison updated
• Location docs drop account setup, link out
• Marketplace docs swap procurement-disable for CloudTrail logging
• Marketplace adds CloudTrail logging section
• Marketplace changelog: CloudTrail logging docs
• Marketplace section retitled to CloudTrail logging
• Marketplace Ariba integration gets CloudTrail note
• Marketplace Coupa integration gets CloudTrail note
• MediaLive docs drop account setup, link out
• MediaTailor docs drop account setup, link out
• MSK drops Secrets Manager auto-attach, manual perms required
• MSK Replicator IAM perms doc updated with caller perms
• MSK Replicator service exec role + caller perms clarified
• MWAA documents unsupported Airflow configs (security limits)
• OpenSearch warns manual Cognito App Client edits get overwritten
• OpenSearch adds TLSNegotiationError metric for failed handshakes
• OpenSearch docs cover aws:SecureTransport for HTTPS enforcement
• SageMaker HyperPod AMI on EKS release notes (K8s 1.28-1.35)