Release Date: 31/05/2026 | Issue: 340
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

This week's articles


Comparing AI Application Security Testing Platforms
Doyensec compared Aikido Attack AI Pentest and XBOW Lightspeed for web app vulnerability detection, evaluating true/false positives, configuration, report quality, cost, speed, and impact on tested applications. Full findings available as a PDF.


When Background AI Agents Become a Security Boundary Problem
Claude Code's background sessions, supervisor process, CLAUDE_CONFIG_DIR override, scheduled tasks, and Markdown-based agent definitions can be chained post-foothold to deploy a persistent, nearly invisible C2 agent evading standard EDR binary-focused detection.


Google API keys keep working after you delete them long enough to be exploited
Deleted Google API keys remain valid for up to 23 minutes due to eventual consistency in Google's infrastructure, allowing continued exploitation of leaked keys. Service accounts revoke in ~5s; newer Gemini keys in ~1 minute. Google closed the report as "won't fix.".


We hardened zizmor's GitHub Actions static analyzer
Trail of Bits Blog improved YAML anchor support in zizmor and tested it against 41,253 real-world GitHub Actions workflows from high-value open-source projects.


From Jira to PR: How we built agent-driven pipelines for design system changes
1Password built an agent-driven pipeline automating Jira-to-PR workflows for their React design system. Success required encoding tacit contributor knowledge as explicit executable skills and exposing design system context via MCP, enabling reviewers to iterate rather than rewrite agent-generated PRs.


A Security Researcher’s Guide to Understanding Copilot Studio AI Agents
A guide to understanding Copilot Studio AI agents, their deeper architecture on Entra ID and APIM, and key security risks.


Detecting and removing dangerous secrets on dev workstations before Shai-Hulud does
A post explaining how to detect cleartext secrets on developer workstations by combining bagel (secret scanner) with Fleet/osquery for policy enforcement. A proof-of-concept repo ties them together, enabling Slack alerts and IdP-based SSO blocking for non-compliant machines.

Tools


TailscaleHound
OpenGraph Collector for Tailscale. You can also check out the companion blog post.


cicd-sensor
Open-source eBPF runtime security sensor for GitHub Actions and GitLab CI/CD.


bumblebee
Read-only developer endpoint scanner for on-disk package, extension, and developer-tool metadata, built to check exposure to known software supply-chain compromises. You can also check out the companion blog post.


pocket-id
A simple and easy-to-use OIDC provider that allows users to authenticate with their passkeys to your services.

From the cloud providers


#AWS   Well-architected best practices for software supply chain security
Aligned with the AWS Well-Architected Security Pillar, the article recommends defending against npm supply chain attacks (e.g., Shai-Hulud) by using temporary credentials, least-privilege IAM, artifact signing via AWS Signer, centralized dependency management with CodeArtifact, continuous scanning via Amazon Inspector, and CloudTrail-based monitoring.


#GCP   Securing Your Gemini and Google API Keys
Protect your Gemini API keys with this guide on API restrictions, secure storage in Secret Manager, and key hygiene to prevent hijacking and unauthorized use.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini