Cloud IAM Guardrails, AWS Agent Tools, and Active Exploit Alerts
Coverage: 06 May 2026 (UTC)
< view all daily briefs >At Next ’26, Google Cloud introduced identity, gateway, and runtime defenses to secure autonomous agents, while AWS launched the Agent Toolkit to standardize skills, governance, and observability for coding agents. Alongside these guardrails, advisories flagged active exploitation and fresh sandbox escapes, and operators detailed response lessons from recent outages and supply‑chain compromises.
Controls for agentized workloads scale up
Google Cloud is making agents first‑class citizens with Agent Identity built on SPIFFE, an Agent Gateway that enforces contextual Zero Trust, and runtime protections via Model Armor that counter prompt injection, tool poisoning, and data leakage. Policy features reach from Allow/Deny for Agent Identity to preview Principal Access Boundaries and Unified Access Policy, with an Agent Security dashboard for discovery, scanning, and graph‑based risk insights. Several capabilities are in preview, but the direction is consistent: centralize identity, constrain permissions, and add inline runtime checks to improve accountability and least privilege for agent workflows.
AWS is moving agent enablement from labs to production. The managed MCP Server provides a single, auditable interface for agents to call AWS APIs with IAM guardrails, CloudWatch metrics, and CloudTrail logs, and supports long‑running operations and sandboxed Python. Amazon’s AgentCore Memory adds structured metadata and filters to long‑term memory so agents retrieve only pertinent context, improving response precision and controlling prompt size.
To fuel larger models, AWS expanded availability of EC2 P6‑B300 instances to US East (N. Virginia), adding to US West (Oregon) and AWS GovCloud (US‑East). The p6‑b300.48xlarge offers eight NVIDIA Blackwell Ultra GPUs, increased GPU memory, and higher interconnect bandwidth aimed at training and deploying very large LLMs with improved throughput and reduced parallelism overhead.
Governance and integrity measures tighten
Google broadened binary supply‑chain defenses with Binary Transparency for Android, creating a public, append‑only ledger that attests production Google apps and Mainline modules. Verification tooling will let users and vendors confirm that device software matches authorized releases, raising the bar against signed‑but‑malicious builds. In enterprise identity estates, AWS expanded Directory Service security settings for Managed Microsoft AD with DISA STIG‑aligned controls. Administrators can declare directory baselines centrally; AWS persists configurations across domain controllers and Regions, reducing drift and streamlining compliance checks.
Advisories and emerging exploit paths
CISA added CVE‑2026‑0300 affecting Palo Alto Networks PAN‑OS to its KEV Catalog based on evidence of active exploitation, urging rapid remediation and, where immediate fixes are not possible, compensating controls and heightened monitoring in line with BOD 22‑01 practices.
A new critical sandbox escape in the Node.js library vm2 allows code execution on hosts; BleepingComputer reports CVE‑2026‑26956 is exploitable under specific Node.js 25 features and is fixed in newer vm2 releases. Separately, Kaspersky details how VoidStealer sidesteps Chrome’s Application‑Bound Encryption by attaching as a debugger and extracting the master key at runtime, enabling session hijacking across Chromium‑based browsers. Research highlighted GPU‑originated bitflips: Schneier summarizes Rowhammer‑style attacks on NVIDIA Ampere GPUs that corrupt GDDR page tables to escalate into host memory control, with variants working even when IOMMU is enabled. On Linux, CSO Online covers Trend Micro’s QLNX, a P2P RAT with rootkit‑backed stealth, PAM tampering, and encrypted multi‑channel C2 that complicate takedown and response. Why it matters: these routes bypass familiar guardrails — from language sandboxes to browser storage and IOMMU boundaries — underscoring the need for defense‑in‑depth and runtime monitoring.
Incidents and response lessons
Cloudflare described how incorrect DNSSEC signatures at DENIC triggered widespread resolution failures under .de; by applying a Negative Trust Anchor, Cloudflare restored reachability while highlighting diagnostics gaps and the value of serve‑stale and coordinated operator response. The incident illustrates how missteps high in the DNS chain propagate quickly and how operational tooling can bound impact.
Disc Soft confirmed trojanized DAEMON Tools Lite installers and released a clean build; BleepingComputer notes Kaspersky validated version 12.6 and tracked thousands of infections tied to signed 12.5.x packages that deployed info‑stealing and lightweight backdoor components. On macOS, Microsoft observed a ClickFix‑style campaign shifting from trojanized apps to one‑line Base64 Terminal commands that execute in memory, harvest credentials and browser data via AppleScript, and persist with LaunchAgents/Daemons; mitigations include XProtect updates, paste‑block prompts, and EDR protections. Finally, BleepingComputer relays Rapid7’s analysis of MuddyWater using Microsoft Teams social engineering and a Chaos‑branded ransomware decoy to mask espionage, with persistence via RDP and remote‑management tools and a signed loader delivering a bespoke backdoor.