Release Date: 31/08/2025 | Issue: 303
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Securing the Future of AI with Teleport + AWS

Is your team ready to deal with AI risks? Teleport extends identity governance to AI agents, securing Amazon Bedrock and MCP deployments with Zero Trust, ephemeral privileges, and full audit trails. Learn how Teleport can secure your AI projects today.
Read how to secure MCP with Teleport + AWS

This week's articles


s1ngularity: supply chain attack leaks secrets on GitHub
Multiple malicious versions of the widely used "Nx" build system package were published to the npm registry. These versions contained a post-installation malware script designed to harvest sensitive developer assets, including cryptocurrency wallets, GitHub and npm tokens, SSH keys, and more.   #attack   #supply-chain


Canary tokens: Learn all about the unsung heroes of security at Grafana Labs
This article explains how Grafana Labs uses canary tokens for threat detection, their placement strategy in GitHub secrets, integration with Thinkst platform for alerting, and best practices learned from catching a real attacker including metadata management and avoiding false positives.   #ci/cd   #defend   #monitor


MCP vulnerability case study: SQL injection in the Postgres MCP server
Learn howa vulnerability in Anthropic's reference Postgres MCP server allowed to bypass the read-only restriction and execute arbitrary SQL statements.   #ai   #attack


How to Create a Secure CI/CD Pipeline Using Okta Terraform
This article demonstrates how to create a secure CI/CD pipeline using Terraform, AWS, and GitHub Actions to manage Okta resources. It covers authentication, state management, secrets handling, and automated deployment workflows.   #build   #ci/cd   #iac   #terraform


A new type of long-lived key on AWS: Bedrock API keys
AWS has introduced a new type of long-lived key called Bedrock API keys, which are used for authenticating applications. These keys are created through the IAM API and can have an expiration time set, but there's no way to enforce this via IAM policy conditions.   #aws   #iam


Safeguarding VS Code against prompt injections
When a chat conversation is poisoned by indirect prompt injection, it can result in the exposure of GitHub tokens, confidential files, or even the execution of arbitrary code without the user's explicit consent. This post explains which VS Code features may reduce these risks.   #ai   #defend


AWS CDK and SaaS Provider Takeover
This article details a vulnerability where SaaS providers using AWS CDK bootstrap roles could have their accounts taken over through their own platform due to permissive IAM role trust policies lacking external ID protections.   #attack   #aws


WebSocket authentication bypass in Claude Code extensions
A critical vulnerability in older versions of the Claude Code for Visual Studio Code (VS Code) and other IDE extensions allowed malicious websites to connect to unauthenticated local WebSocket servers, potentially enabling remote command execution.   #ai   #attack   #supply-chain

Tools


JamfHound
A python3 project designed to collect and identify attack paths in Jamf Pro tenants based on existing object permissions by outputting data as JSON for ingestion into BloodHound.


regal
A linter and language server for Rego.


Take-Home Exercise
A sample take-home exercise from the Adobe Security team.


ghbuster
A tool to identify and investigate inauthentic GitHub user accounts and repositories.


toolhive
Run and manage MCP servers easily and securely.

From the cloud providers


#AWS   AWS Shield network security director (preview)
Use network security director to understand your AWS security configuration and to explore ways to strengthen it.


#AWS   Simplify multi-tenant encryption with a cost-conscious AWS KMS key strategy
An efficient approach to managing encryption keys in a multi-tenant SaaS environment through centralization, addressing challenges like key proliferation, rising costs, and operational complexity across multiple AWS accounts and services.

Business News

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini