Release Date: 05/07/2026 | Issue: 345
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

This week's articles


How LLM-driven EDR evasion works
SpecterOps reverse engineered Cortex XDR with LLMs to extract YARA rules, ML models, and behavioral detections.


Controlling the Rollout of Large-Scale Monorepo Changes
Uber's blog post discusses the challenge of managing large-scale changes in a monorepo environment where thousands of microservices are automatically deployed. The key issue is minimizing the impact of bad changes that affect multiple services.


Three Ways to Give an AI Agent an Identity
This post compares three AI agent identity models: acting as the user (simple but single-player), service account tokens (common in production but insecure), and SPIFFE-based workload identity (best but costly to implement). Covers governance plumbing like Okta XAA and cloud-provider managed options.


AI brands as bait: How threat actors are using the AI hype in social engineering
Threat actors impersonate AI brands (ChatGPT, Claude, DeepSeek, Copilot) in phishing, malvertising, and SEO-poisoning campaigns to steal credentials, credit card data, and deliver infostealers like Vidar. Storm-3075 and Fox Tempest are attributed actors using signed malware.


Apps can now impersonate human access to AWS via IAM Identity Center
AWS IAM Identity Center now lets server-side apps exchange an IdP-issued OIDC token for user-scoped AWS credentials via CreateTokenWithIAM, ListAccounts, and GetRoleCredentials. Actions are attributed to the user in CloudTrail. Key gaps: no per-app scope restrictions and no application ARN in audit trails.

Tools


aws-slack-alerts
Send regular account status updates to a slack workspace.


whim
Throwaway root shells in AWS Lambda Firecracker microVMs.


detection-chokepoints
A community detection engineering resource organized around invariant prerequisites.

From the cloud providers


#AWS   How to use the AWS Workload Credentials Provider for cross-account secret retrieval and prefetching secrets
The AWS Workload Credentials Provider now supports two new features: IAM role chaining for cross-account secret retrieval via a single provider instance, and prefetching to pre-populate the in-memory cache at startup, reducing cold-start latency for latency-sensitive workloads.


#GCP   Securing agentic AI: What's new in VPC Service Controls
Designed for agentic workloads, new capabilities in VPC Service Controls can help establish a network-level, destination-based perimeter.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini