Release Date: 26/04/2026 | Issue: 335
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Secure DevOps CI/CD Pipelines with Hardened Images
DevOps pipelines often start on generic images that create cloud security debt, slow audits, and force engineers to reinvent the same controls. CIS Hardened Images® provide a remedy. These pre-configured VMs are built to the CIS Benchmarks® in major cloud marketplaces, giving teams hardened starting points on AWS, Azure, Google Cloud, and Oracle Cloud for reducing misconfigurations, speeding releases, and simplifying compliance.

Start your next build on CIS Hardened Images today.

This week's articles


How Amazon uses agentic AI for vulnerability detection at global scale
Amazon's RuleForge is a multi-agent AI system that auto-generates CVE detection rules from exploit PoC code. It uses parallel generation (via Amazon Bedrock/Fargate), a separate judge model (reducing false positives by 67%), and multistage validation, achieving 336% faster rule production than manual workflows while keeping humans in the final approval loop.


Orchestrating AI Code Review at scale
Cloudflare built a CI-native, plugin-based AI code review system using OpenCode, orchestrating up to 7 specialised agents (security, performance, code quality, etc.) per merge request. It processed 131K reviews across 48K MRs, averaging $0.98/review at 3m39s median latency, with an 85.7% prompt cache hit rate.


Agents as scaffolding for recurring tasks
An effective agent pattern for recurring tasks: prototype with agent-driven flow, then refactor to code-driven control, using agents only for ambiguous sub-tasks (e.g., ownership resolution). Results in faster, cheaper, more reliable, and maintainable pipelines.


The case for dependency cooldowns in a post-axios world
Following recent npm supply chain compromises (axios, s1ngularity), the article advocates for dependency cooldowns": intentional delays before installing newly published packages. Npm, Yarn, pnpm, and Dependabot all now support configurable cooldown settings; a 12-hour minimum would have blocked both attacks entirely.


Global S3: Another C2 Channel for AgentCore Code Interpreters
AWS Bedrock AgentCore Code Interpreters in Sandbox mode allow unrestricted global S3 access (including cross-account, public/pre-signed URLs), enabling a bidirectional S3-based C2 channel/reverse shell.


Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions
Docker and Socket have uncovered malicious Checkmarx KICS images and suspicious code extension releases in a broader supply chain compromise.


My Claude Code Setup (2026 Edition)
A walkthrough of my Claude Code setup across a multi-project monorepo: global settings, safety guardrails, a context/plan/code workflow, subagents and plugins, and the StarCraft-themed customisations that make the terminal feel like mine.

Tools


magika
Fast and accurate AI powered file content types detection.


redai
AI-driven vulnerability discovery and live validation.


symphony
Symphony turns project work into isolated, autonomous implementation runs, allowing teams to manage work instead of supervising coding agents.


trailmark
Build and query a graph database representation of source code. You can also check out the companion blog post.


skills
Agent Skills for Google products and technologies.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini