AWS Security Digest·Week 16 of 2026·Apr 14-20, 2026·8 items
Vercel Got Pwned Through a Calendar App
A Vercel employee had OAuth-trusted Context.ai with their corporate Google account. Lumma Stealer hit Context.ai. The attacker walked from Google Workspace into Vercel and read non-sensitive environment variables. Also this week: Vect ransomware lists Trivy/LiteLLM victims, AWS patches EFS CSI and Encryption SDK for Python.
In this issue1critical3high2medium2info
Highlights
8 items
$ tail -f /var/log/aws-security.log
high/Incident/
Vercel Got Pwned Through Context.ai
Vercel disclosed an incident on April 19, 2026 that exposed non-sensitive environment variables for a limited subset of customer projects.
The attack chain: Lumma Stealer compromised Context.ai (an AI office-suite vendor) around February. Attackers extracted Google Workspace OAuth tokens. One Vercel employee had signed up for Context.ai using their corporate Google account, opening a path the attacker walked from Workspace into that employee's Vercel account, and from there into Vercel's internal systems.
Vercel confirmed no npm package compromise after collaborating with Microsoft, GitHub, npm, and Socket. Variables marked "sensitive" use stronger encryption and were not accessed.
critical/Threat Intel/
Vect Begins Trivy/LiteLLM Extortion
Around April 15, 2026 the Vect ransomware leak site began publishing victims that Halcyon characterized as the extortion phase following TeamPCP's March supply-chain compromises against Trivy, trivy-action, setup-trivy, and LiteLLM.
Named victims include property-management vendor Guesty (~700 GB claimed) and S&P Global (~250 GB claimed). Caveat: per The Register, "it's unclear how many, if any, of the listed orgs are tied to Trivy and LiteLLM-related compromises," and the volumes are attacker-stated.
Independent analysis from Halcyon, JUMPSEC, and Check Point confirmed Vect's "ransomware" is effectively a wiper. A flaw in the encryption implementation discards three of four decryption nonces for any file larger than 128 KB, making recovery impossible even if the ransom is paid.
A Kubernetes user with PersistentVolume creation rights can inject arbitrary mount options through two unsanitized fields: the Access Point ID in volumeHandle and the mounttargetip volumeAttribute.
The attack works by appending comma-separated values that the mount utility reads as separate options.
Mitigation in advance of upgrade: tighten Kubernetes RBAC on PersistentVolume and StorageClass creation.
A cryptographic algorithm downgrade in the ESDK's shared key cache could allow an authenticated local attacker to bypass key-commitment policy enforcement.
The practical consequence: a single ciphertext can decrypt to multiple distinct plaintexts, breaking the integrity guarantee that key commitment was designed to provide.
Affected
AWS Encryption SDK Python 2.0-2.5.1
3.0-3.3.0
4.0-4.0.4
Fixed In
AWS Encryption SDK Python 3.3.1
4.0.5
KMS
medium/Compliance/
Secure AI Agent Access via MCP
AWS published guidance on securing AI agent access to AWS resources via Model Context Protocol, organized around three principles: least privilege, organizational role governance, and explicitly differentiating AI-driven from human-initiated actions in CloudTrail and IAM. Required reading before exposing any AWS account to an MCP server.
IAMBedrock
medium/Feature Launch/
Interconnect Hits GA with MACsec by Default
AWS Interconnect is generally available, providing managed private connectivity between AWS VPCs and other cloud providers. The "last mile" option provisions four redundant connections across two physical locations with MACsec encryption and Jumbo Frames enabled by default. For network architects evaluating cross-cloud private connectivity, this raises the encryption baseline considerably versus self-managed Direct Connect + IPsec.
InterconnectDirect ConnectVPC
info/Service Update/
OCSF ETL Into Security Lake
AWS published a configuration-driven ETL solution for transforming custom security logs into OCSF format using Step Functions plus AWS Glue or EMR Serverless, then landing them into Security Lake. Useful for teams trying to standardize on OCSF without writing one-off Lambda transformers per source.
Security LakeGlueStep Functions
info/Service Update/
Clone Your CloudHSM Across Regions
AWS Security Blog walkthrough on cloning a CloudHSM cluster across Regions using CopyBackupToRegion, with key-material synchronization and a clean DR runbook. Niche but high-value content for any team running CloudHSM at all.
CloudHSM
Key Takeaway
1 item
$ cat WEEKLY_SUMMARY.md
The Vercel/Context.ai chain is the sharpest illustration this year of how OAuth-trust between a SaaS your employee signed up for and your corporate Google Workspace can become a tunnel straight into your cloud secrets. Audit your Workspace third-party app permissions like you audit IAM. And mark sensitive variables as sensitive. The encryption boundary works.
These weekly digests are a starting point. Contact us for tailored threat briefings, security assessments, and architectural guidance for your AWS environment.
