AWS Adds AI Controls, Microsoft Scans Backdoors, KEV Patching Urged

In a step aimed at making AI outputs predictable and easier to govern, Bedrock introduced structured responses that conform to developer‑defined JSON schemas. Complementing that, Microsoft detailed a practical scanner for detecting backdoors in open‑weight language models. The day’s balance leans toward operational control and safety features, with critical advisories and active exploitation underscoring the need for timely patching.

AI Output Controls And Model Integrity

Structured outputs in Amazon Bedrock let teams define JSON schemas or strict tool specifications so foundation models return consistent, machine‑readable responses instead of brittle, prompt‑dependent text. This reduces retries and custom validation while simplifying logging and audits for workflows that power downstream APIs and automation. In parallel, Microsoft describes three observable signatures of model poisoning—an attention “double triangle,” strong memorization of poisoning data, and trigger fuzziness—and uses them to score candidate triggers without retraining, providing a scalable screen before deployment. The scanner’s stated limits (open‑weight access required; strongest on deterministic trigger backdoors) reinforce its role as one control in a broader defense‑in‑depth approach.

Risks extend beyond models to the agent ecosystems built around them. A new report from VirusTotal catalogs how third‑party skills can be weaponized for remote execution, semantic propagation, SSH key persistence, stealthy exfiltration, and prompt/file implants that act as cognitive rootkits. The recommended mitigations mirror supply‑chain hygiene: pin and review dependencies, enforce least privilege and sandboxing, default‑deny egress with allowlists, and protect persistent instruction files and credentials. Why it matters: controls that constrain outputs and verify provenance reduce failure modes in AI‑driven systems before they reach production.

Cloud Infrastructure Scales Up

AWS expanded GPU and CPU capacity to support high‑throughput AI and data workloads. The EC2 G7e family, powered by NVIDIA RTX PRO 6000 Blackwell Server Edition GPUs, is now available in US West (Oregon), with up to 2.3x inference gains over G6e and features like GPUDirect P2P and, in UltraClusters, GPUDirect RDMA via EFA. Separately, new EC2 C8id/M8id/R8id instances on custom Intel Xeon 6 deliver up to 43% compute uplift, 3.3x memory bandwidth, and up to 22.8 TB of local NVMe, with a bandwidth configuration feature to tune between network and EBS throughput. These additions target distributed inference, real‑time rendering, I/O‑intensive databases, and large in‑memory analytics.

The model catalog and deployment controls also broadened. SageMaker JumpStart now lists Cartesia’s Sonic 3 text‑to‑speech model for sub‑100ms, multilingual, expressive voice generation with fine‑grained control over prosody and emotion. And ECS added native linear and canary strategies when using Network Load Balancers, enabling incremental traffic shifting and CloudWatch‑driven rollbacks for long‑lived TCP/UDP services. Why it matters: higher‑performance primitives and safer rollouts allow teams to scale AI and real‑time systems while tightening operational risk.

Advisories And Active Exploitation

CISA added a high‑severity remote code execution flaw in SolarWinds Web Help Desk (CVE‑2025‑40551) to the Known Exploited Vulnerabilities catalog, per The Hacker News, urging immediate upgrades to patched versions (WHD 2026.1) and noting additional vulnerabilities fixed by the vendor. The agency also flagged a five‑year‑old GitLab SSRF (CVE‑2021‑39935) as exploited, with a three‑week remediation window for U.S. federal civilian agencies; details are summarized by BleepingComputer. These KEV listings signal observed malicious activity and the likelihood of rapid weaponization following disclosure.

Open‑source automation platform n8n faces a set of critical sandbox escapes collectively tracked as CVE‑2026‑25049, enabling authenticated users to achieve unrestricted code execution, steal stored credentials, and intercept AI workflows; administrators should upgrade to patched branches and rotate keys, according to BleepingComputer. Separately, VMware ESXi sandbox escapes centered on CVE‑2025‑22225 are now seen in ransomware operations, a development BleepingComputer reports alongside CISA guidance to apply vendor mitigations or discontinue affected products if necessary.

Infrastructure‑focused attackers are also exploiting the React2Shell issue (CVE‑2025‑55182) in React 19 server components as an entry point to hijack NGINX configurations, redirect web traffic, and capture credentials on compromised servers managed via Boato Panel; CSO cites Datadog’s observation of an evolving, automated toolkit. Why it matters: chaining deserialization, SSRF, sandbox escape, and server‑side flaws enables full environment control, emphasizing the value of rapid patching, configuration integrity monitoring, and network segmentation.

Espionage And Campaign Activity

APT28 quickly weaponized a Microsoft Office RTF vulnerability (CVE‑2026‑21509), moving from patch release to observed exploitation within days, according to CSO. Phishing lures delivered payloads such as MiniDoor and PixyNetLoader, with persistence via DLL proxying/COM hijacking and deployment of a Covenant Grunt implant; targets were concentrated in parts of Central and Eastern Europe. Across Southeast Asia, Check Point documents Amaranth‑Dragon’s targeted espionage, including rapid exploitation of a WinRAR flaw, geofenced command‑and‑control, and loaders that decrypt payloads in memory. Both operations highlight disciplined timing, tailored lures, and fast adoption of newly disclosed vulnerabilities.

On the criminal side, Infosecurity reports the long‑running SystemBC proxy malware active across more than 10,000 infected IPs, including a previously undocumented Linux variant and infections persisting for weeks in data‑center environments. The tooling converts hosts into SOCKS5 relays, masking attacker infrastructure and enabling lateral movement often seen ahead of ransomware. Why it matters: targeted state‑linked collection and commodity proxy botnets both benefit from rapid exploit adoption and persistent footholds, raising the bar for patch velocity, segmentation, and anomaly detection across email, endpoints, and exposed services.