Tag: amazon
9 articles

Amazon Fined $2.25M for Withholding Fraud Evidence
Amazon has been fined $2.25 million for allegedly blocking identity-theft victims from accessing records of fraudulent transactions, violating the Fair Credit Reporting Act. The company reportedly told some consumers that they couldn't access the requested records, adding to the frustration of those trying to recover from scams.

Amazon AI Coding Tool Exposes Cloud Credentials to Malicious Git Repos
A security vulnerability in Amazon's AI coding assistant, tracked as CVE-2026-12957, allowed malicious Git repositories to access sensitive cloud credentials, raising concerns about informed consent and user security. The flaw enabled automatic execution of commands with no user prompt required.

Big Tech Reconsiders Human-in-the-Loop AI Governance
Big tech giants like Amazon are rethinking the role of human oversight in AI governance, as experts question whether humans are truly the reliable safety net they're assumed to be. Human inconsistency and unpredictability are sparking a reassessment of the "human-in-the-loop" approach to managing advanced AI tools.

AI Boosts Pentesting Efficiency by 40% at Amazon
Amazon's security team has achieved a game-changing 40% boost in pentesting efficiency by harnessing the power of artificial intelligence, significantly speeding up the process of identifying vulnerabilities and keeping the internet more secure. This innovative approach is a major win for productivity and a strong indicator of AI's growing role in cybersecurity.

Pandoc CVE-2025-51591 Critical: Must-Patch Risk
A newly spotted SSRF flaw in Pandoc (CVE-2025-51591) is being abused to trick EC2 instances into handing over AWS IMDS tokens and temporary credentials, letting attackers steal keys and pivot across cloud accounts. If you run Pandoc in build pipelines or servers, inventory instances, patch or block metadata access, and enable IMDSv2 now to stop casual credential theft.

watering-hole technique: Exclusive Risky Exposed
When nation‑state actors like APT29 weaponize familiar conveniences — such as “Sign in with Microsoft” flows and popular websites — a routine visit can hand over credentials and session tokens at scale. Amazon’s disclosure shows watering‑hole attacks have evolved, so teams and users should treat federated logins and consent prompts with fresh skepticism and stronger protections.

Cozy Bear Exposed: Risky OAuth Attack — Must-Have Alert
AWS says it disrupted a Cozy Bear (APT29) campaign that used fake websites and OAuth consent tricks to coax Microsoft users into granting access to mail, calendars and other data. The episode is a reminder that convenient features like single sign‑on can be repurposed for stealthy espionage — and why cloud providers are increasingly acting as front‑line defenders.

Electronics supply chains Must-Have Shield: Best Defense
When a specialist like Data I/O is knocked offline by ransomware, production lines and device launches can grind to a halt—reminding tech companies to tighten supplier security, demand transparency, and build redundancy before the next outage.

Amazon Q Developer Must-Have Fix for Risky RCE
Amazon quietly patched serious flaws in its Q Developer VS Code extension that could let attackers inject prompts to steal local secrets like API keys or even run remote code. It’s a wake-up call to treat AI-powered IDE tools as high‑risk and lock down privileges.