Release Date: 08/03/2026 | Issue: 328
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Your company moves fast. Your SOC should too.
Exaforce's AI agents detect, triage, investigate, and respond to threats automatically so your lean security team can move at the speed of your business without scaling headcount.

See how fast your SOC can move

This week's articles


Hook, line, and vault: A technical deep dive into the 1Phish kit
1Phish is a phishing kit targeting 1Password users that evolved across 4 versions (Sept 2025โ€“Feb 2026) from a basic credential harvester (~258 LoC) into a fully API-driven, MFA-aware kit with browser fingerprinting, bot scoring, JS obfuscation, OTP/recovery-code capture, enterprise targeting, and multi-language support.


Superuser Gateway: Guardrails for Privileged Command Execution
Uber's "Superuser Gateway" replaces direct superuser CLI access with a Git-backed, peer-reviewed workflow. Engineers submit commands via superuser-cli, triggering automated validation (syntax, permissions, impact estimation) and PR-based peer approval before a back-end service executes them, eliminating local credential holding and improving auditability.


Please, please, please stop using passkeys for encrypting user data
Passkeys are the future of authentication, but using them for data encryption is a disaster waiting to happen. Overloading these credentials creates a dangerous blast radius that can lead to the irreversible loss of a user's most sacred memories and documents.


How LDAP Works: An Interactive Guide
An interactive exploration of LDAP. Build a directory from a flat list, discover tree structure, distinguished names, schemas, search operations, and authentication.


The Detection Engineering Baseline: Statistical Methods
A practical guide to using statistical methods for empirically modeling normal in your environment.

Sponsor

AI Remediation Developers Will Actually Use
"I've asked vendors to build this for years, and this is the first time I've actually seen it done right." โ€” James Berthoty, Latio Tech
Every vulnerability tool tells you what's wrong. None say how to fix it. The ones that try just say "upgrade available," ignoring your environment and whether it'd actually work.
Maze just launched AI remediation agents that think like your developers. They trace how vulnerabilities enter your environment, find where one remediation resolves many, and deliver fixes your team would actually choose.

See how it works

Tools


Aegis
Monitors what AI agents do on your computer.


Zero Day Clock
Track Time-to-Exploit (TTE) across 83,000+ CVEs from 10 sources including CISA KEV, ExploitDB, and Metasploit. Median TTE trends, year-over-year analysis, and live exploit intelligence.


load-secrets-action
Load secrets from 1Password into your GitHub Actions jobs.

AI


hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions
A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in at least 4 out of 5 targets. The attacker, an autonomous bot called hackerbot-claw, used 5 different exploitation techniques and successfully exfiltrated a GitHub token with write permissions from one of the most popular repositories on GitHub. This post breaks down each attack, shows the evidence, and explains what you can do to protect your workflows.


The Reach Pattern
The "Reach" pattern is a personal CLI that hijacks existing browser sessions to query SaaS APIs (Slack, Jira, Confluence, etc.) on your behalf, feeding structured organizational context to your AI coding assistant.


infrastructure-agents-guide
How to design, build, and operate AI agents for infrastructure teams, safely. 13 chapters covering architecture, sandboxing, credentials, change control, observability, and more.


How AI Agents Automate CVE Vulnerability Research
A technical deep-dive into Praetorian's multi-agent CVE research pipeline, exploring how orchestrated AI agents transform vulnerability data into validated detection templates.

From the cloud providers


#AWS   Inside AWS Security Agent: A multi-agent architecture for automated penetration testing
AWS Security Agent's penetration testing uses a multi-agent architecture: specialized swarm agents handle reconnaissance, managed/guided exploration, and exploit validation. The system achieves 80% attack success rate on CVE Bench under real-world conditions, with assertion-based validation reducing false positives and CVSS-scored reporting.

Upcoming Events


CFP   RAID 2026 Deadline
CFP Deadline: Apr 16, 2026


CFP   CCS 2026 Deadline
CFP Deadline: Apr 29, 2026


CONF   RSAC 2026 Conference
Mar 23-26, 2026 | San Francisco, United States

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini