Release Date: 30/11/2025 | Issue: 316
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

This week's articles


Stop Putting Your Passwords Into Random Websites (Yes, Seriously, You Are The Problem)
WatchTowr researchers scraped 80,000+ saved entries from JSONFormatter and CodeBeautify sites, finding thousands of exposed credentials including AWS keys, Active Directory passwords, API tokens, and PII from governments, banks, MSSPs, and cybersecurity firms. Evidence suggests attackers already exploit this.   #defend   #supply-chain   #saas


The story of how we almost got hacked
Invictus IR received a suspicious BEC phishing email impersonating a pharmaceutical company, requesting a non-existent product. They investigated, tracking the threat actor's infrastructure, uncovering an AiTM phishing campaign using EvilProxy framework, targeting multiple industries through WeTransfer-delivered credential harvesting.   #attack   #saas


Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks
Socket Threat Research maps a rare inside look at OtterCookie's npm-Vercel-GitHub chain, adding 197 malicious packages and evidence of North Korean operators.   ""   #supply-chain   #attack


Phishing for AWS Credentials via the New ‘aws login’ Flow
The new aws login command, designed to provide temporary credentials for local development, can be exploited by attackers for phishing, even bypassing phishing-resistant MFA.   ""   #attack   #aws


What to know about a recent Mixpanel security incident
OpenAI is informing users about a security incident that occurred at Mixpanel, a third-party data analytics provider used for their API product's frontend interface. This breach was confined to Mixpanel's systems and did not affect OpenAI's infrastructure, nor were users of ChatGPT or other OpenAI products impacted.   #attack   #supply-chain


Breaking change on GitHub Actions pull_request_target
GitHub Actions' pull_request_target event will reference the default branch instead of PR base branch from Dec 8, 2025, preventing attackers from exploiting vulnerable workflows in unpatched branches targeting non-default branches.   #ci/cd   #supply-chain   #announcement


When Password FieldsAren’t Enough – Client-Side SecretExposure in PagerDuty Cloud Runbook
CVE-2025-52493 in PagerDuty Cloud Runbook exposed stored secrets (API keys, credentials) to authenticated admins through client-side DOM manipulation. Secrets were sent unmasked to browsers, protected only by password field masking, exploitable via simple HTML attribute changes.   #attack   #saas

Tools


aws-finops-dashboard
A terminal-based AWS cost and resource dashboard which provides an overview of AWS spend by account, service-level breakdowns, budget tracking, and EC2 instance summaries.


log-sniffer
A full-stack web application that provides a security-focused dashboard for analyzing Snyk audit logs.


osquery-forensics-agent
LangGraph-powered forensic analysis workflow for OSQuery data processing and security investigation.


pinact
A CLI to edit GitHub Workflow and Composite action files and pin versions of Actions and Reusable Workflows.

AI


Google Antigravity Exfiltrates Data
An indirect prompt injection in an implementation blog can manipulate Antigravity to invoke a malicious browser subagent in order to steal credentials and sensitive code from a user's IDE.


An Evening with Claude (Code)
Security researchers discovered CVE-2025-64755 in Claude Code by finding a sed expression parsing vulnerability that bypassed command validation regex checks, enabling arbitrary file writes and command execution through prompt injection.


MCP Apps: Extending servers with interactive user interfaces
MCP Apps is a proposed extension standardizing interactive UI support in Model Context Protocol. Enables servers to deliver embedded interfaces via predeclared HTML resources, uses MCP transport over postMessage, implements iframe sandboxing for security, and maintains backward compatibility.


Introducing CodeMender: an AI agent for code security
CodeMender is an AI agent for code security that automatically validates patches through program analysis, testing, and multi-agent systems. It identifies root causes of vulnerabilities using debuggers and source code browsers.

From the cloud providers


#AWS   Introducing guidelines for network scanning
AWS introduces network scanning guidelines for customer workloads to distinguish legitimate security scans from malicious activity.


#AWS   AWS Secrets Manager launches Managed External Secrets for Third-Party Credentials
AWS Secrets Manager introduces managed external secrets for third-party credentials like Salesforce, Snowflake, and BigID.


#AWS   Introducing VPC encryption controls: Enforce encryption in transit within and across VPCs in a Region
AWS announces VPC encryption controls, a new capability that helps organizations audit and enforce encryption in transit for all traffic within and across VPCs in a Region, simplifying compliance with regulatory frameworks like HIPAA, PCI DSS, and FedRAMP through automated monitoring and enforcement modes.


#AWS   Introducing attribute-based access control for Amazon S3 general purpose buckets
AWS introduces Attribute-Based Access Control (ABAC) for S3 general purpose buckets, enabling administrators to automatically manage permissions through tag-based policies that match tags between users, roles, and buckets—eliminating the need to constantly update IAM policies as organizations scale.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini