Release Date: 12/04/2026 | Issue: 333
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

What containers changed about cloud security and risk

Gartner estimates 99% of cloud security failures are the customer's fault โ€” not the provider's. The mass adoption of containers has made that responsibility harder to manage. Where you once secured a single application, you now have hundreds of microservices, each with its own dependencies, configs, and blind spots.
Andy Hornegold, Intruder's VP of Product, breaks down where container risk actually comes from across the full security lifecycle, and what four recent breaches reveal about how attackers are getting in.

Get the full breakdown

This week's articles


Protecting Our Systems with Intelligence
How Block builds AI protectors that shift left, manage context, and continuously evolve to keep systems aligned with their world model.


AI Tools Are Eroding Your Zero Trust Foundations
We're connecting AI tools to everything, and we're making them controllable from anywhere. That combination is a fundamental challenge to how we've been thinking about defense in depth.


Claude Code vulnerability: Deny rules silently bypassed because security checks cost too many tokens
Claude Code's deny rules are silently bypassed when a shell command exceeds 50 subcommands, a performance cap in bashPermissions.ts. The secure fix (tree-sitter parser) exists in Anthropic's codebase but was never deployed to production, enabling credential theft via malicious CLAUDE.md files.


prt-scan: AI-Powered GitHub Actions Supply Chain Attack
Wiz Research traces six waves of pull_request_target exploitation to one actor, starting three weeks before public disclosure. 500+ malicious PRs, 10% success.


When an Attacker Meets a Group of Agents: Navigating Amazon Bedrock's Multi-Agent Applications
Unit 42 red-teamed Amazon Bedrock's multi-agent collaboration framework, demonstrating a four-stage attack chain: operating mode detection, collaborator agent discovery, payload delivery via prompt injection, and exploitation (instruction/tool schema extraction, malicious tool invocation). No Bedrock vulnerabilities were found; enabling Bedrock Guardrails mitigates all demonstrated attacks.


Claude & Control: An Introduction to Agentic C2 with Computer Use Agents
This blog explores how computer use agents can be used to build an agentic command-and-control framework. By combining LLM reasoning with desktop interaction tools, attackers could automate endpoint control while blending into normal system behavior. Here, we break down the architecture, abuse scenarios, and detection opportunities.


NomShub: Weaponizing Cursor's Remote Tunnel Through Indirect Prompt Injection and Sandbox Breakout
NomShub is a critical vulnerability chain in the Cursor AI code editor where a malicious repository can silently hijack a developer's machine, combining indirect prompt injection, a sandbox escape via shell builtins, and Cursor's built-in remote tunnel to give attackers persistent, undetected shell access triggered simply by opening a repo.


Unexpected Routing Behaviour in AWS with VPC Peering and NAT Gateway
When routing VPC peering traffic through an internal NAT gateway in AWS, response traffic bypasses route tables via connection tracking, making all subnets in the peered VPC reachable even without return routes configured. AWS confirmed this is "expected behaviour.".


What's coming to our GitHub Actions 2026 security roadmap
A look at GitHub Actions' 2026 roadmap, outlining how secure defaults, policy controls, and CI/CD observability harden the software supply chain end to end.

Tools


randompass
A simple static password generator.


notyet
Did you contain the compromised identity? notyet.


osv.dev
Open source vulnerability DB and triage service.


mrva
A terminal-first approach to CodeQL multi-repo variant analysis.

From the cloud providers


#AWS   Amazon S3 starts rolling out new security best practice to new and existing buckets by default
S3 is now deploying a new default bucket security setting which will automatically disable server-side encryption with customer-provided keys (SSE-C) for all new general purpose buckets.


#AWS   Launching S3 Files, making S3 buckets accessible as file system
Amazon S3 Files makes S3 buckets accessible as high-performance file systems on AWS compute resources, eliminating the tradeoff between object storage benefits and interactive file capabilities while enabling seamless data sharing with ~1ms latencies.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini