Release Date: 10/05/2026 | Issue: 337
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

We scanned 1 million exposed AI services. Here's how bad the security actually is

Intruder scanned 1 million exposed AI services and found that 31% of Ollama APIs responded to an unauthenticated prompt. The rush to deploy AI infrastructure is outpacing basic security hygiene: chatbots leaking conversation history, agent platforms exposing credentials, and LLM APIs with no authentication at all. Of all the software Intruder has ever investigated, AI infrastructure is by far the most vulnerable.

Read the full research

This week's articles


The Danger of Multi-SSO AWS Cognito User Pools
This post explores security anti-patterns in multi-SSO AWS Cognito User Pools: ghost identity injection via misconfigured Lambda triggers, "triggerSource" blind spots, sub-splitting attacks on "event.userName", and IdP identifier hijacks. It also introduces "maSSO", a weaponized OIDC/SAML IdP for pentesting.


Skill Issues: How We Discovered Supply Chain Attack Vectors in an AI Agent Skills Marketplace
Orca Security identified four supply chain attack primitives in an AI agent skills marketplace: unauthenticated install count inflation, non-deterministic security scanning, silent skill name override, and blind bulk updates. All enabling bait-and-switch, nested skill injection, and delayed weaponization attacks achieving real-world RCE.


The (In)security Landscape of AI-Powered GitHub Actions (Part 2/2)
Wiz researchers analysed popular AI GitHub Actions (Anthropic, OpenAI, Google) and found: bot permission-check bypasses enabling untrusted external apps to trigger AI workflows, novel credential-file exfiltration vectors unrecognised by LLMs as sensitive, and widespread misconfigurations in repos with 200,000+ combined stars.


Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI
GitHub account BufferZoneCorp published sleeper packages that later added credential theft, GitHub Actions tampering, fake go wrappers, and SSH persistence.


Inside Claude Managed Agents: Reverse-Engineering the Security Boundaries of Anthropic’s Hosted Agent Runtime
Pluto Security reverse-engineered Anthropic's Claude Managed Agents cloud runtime, finding gVisor sandboxing, JWT-authenticated egress proxy with TLS inspection, silent allowlist expansion (+6 undocumented hosts), strong vault-based credential isolation (secrets never enter sandbox), and maximally permissive defaults requiring active hardening.


LeakyLM: AI Assistants Are Leaking Your Conversations
Research disclosing that ChatGPT, Claude, Grok, and Perplexity embed third-party trackers (Meta, Google, TikTok) that leak conversation URLs, email hashes, and user identifiers, often bypassing cookie consent. via client-side pixels and server-side forwarding.


Unmasking the Docker ONBUILD Supply Chain Attack Vector
Docker's ONBUILD directive is a feature designed to reduce boilerplate in downstream images. This article demonstrates how a compromised or malicious base image can exploit ONBUILD to intercept build-time secrets, tamper with build outputs, and achieve arbitrary remote code execution during a downstream build. All of this is invisible from the view of the downstream Dockerfile.


Workload Identity Federation for Claude
Workload Identity Federation (WIF) lets your workloads authenticate to the Claude API using short-lived OpenID Connect (OIDC) tokens issued by an identity provider (IdP) you already operate, such as AWS IAM, Google Cloud, or any standards-compliant OIDC issuer (such as GitHub Actions, Kubernetes service accounts, SPIFFE, Microsoft Entra ID, or Okta), instead of long-lived sk-ant-... API keys.

Tools


AntiSSRF
A secure code library that provides robust URL validation to mitigate the risk of Server-Side Request Forgery (SSRF) vulnerabilities.


distil-ai-slop-detector
Detect AI-generated text locally in your browser.


below
A time traveling resource monitor for modern Linux systems.


deepsec
Deepsec is a security harness for finding vulnerabilities in your codebase powered by coding agents. You can also check out the companion blog post.


azure-iam-enum
Enumerate Azure RBAC and Microsoft Entra ID permissions for Entra ID groups, service principals, and users.

From the cloud providers


#AWS   Introducing Trusted Remote Execution: Policy-Enforced Scripts for AI Agents and Humans
AWS announced Trusted Remote Execution (Rex, for short), an open source scripting runtime where every system operation is authorized by policy. Scripts are written in Rhai, a lightweight language with no built-in system access.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini